Why Website fail with password

t seem only more apparent this week that so many websites fail at storing user passwords, with the password dump of Linkedin, eharmony and lasfm password this week. The scary thing about it, is there are sites that don’t even use any encryption methods to store user passwords and this can be proven usually with a simple check.

In order to understand how passwords work it’s necessary to understand what a Hash function is and what it does. There are two key features to a Hash function, it is fixed length and it’s always one way, meaning it cannot be reversed. The reversed bit being a big key in this example.

The way passwords on websites work is that you sign up to a website and type in a username and password. The password is then put through a hashing algorithm to produce a fixed length hash.

Bad Example Code:
$password = test123
$Hash = sha1($password)
print $Hash

The above is a very basic example of how some sites may do it, then the hash is stored in the database. When you go to sign on the above process happens, you type in your password it hashes it again and then compares the hash to the stored entry if it’s valid you get access if it’s not then you will get a failed login attempt.

So the question here is how do you know a password is being stored in plain text without hacking the site? Well it’s simple, most sites have password reset buttons. If you forget your password you can use this method to get a way to reset your password. However some websites will send you your password in plain text, this means that they must be storing the password in plain text in the database or an unproved hashing method. As well as all know hashes are none reversible so they can’t be taking your hash and reversing it, then sending you your password as the whole point of a hash is it can’t be reversed. I have noticed that jobs sites are really bad for this but I am sure there are many more that are failing to do such a simple task as using a salt and a good hashing algorithm to store passwords.

Social Engineering Tips

Social Engineering is one of my favorite subjects, this is because it’s so hard to defend against and can be very effective. It does not matter how much you spend on Firewalls, IDE, CCTV and security guards, if I can walk into your building unchallenged and pick up a computer or any sensitive data there is no point in investing large amounts of money into technology that you think will keep your company safe from attack.

I wanted to share some tools and tricks that I use when doing Social Engineering. The best part of Social Engineering is you can practice it anywhere just by talking to people and trying to get information from them.

Tools in my arsenal:
Mobile Phone
Lock Picks
Business cards
SET
Teensy Device
RFID Card

The first thing you need is bags of confidence as you are trying to sell yourself, this is where practicing comes into play. I gained a lot of this from working in sales and selling to customers, trying to make them part with cash and buy more stuff. The company I used to work for also showed me how to manipulate people and overcome objections.

You have to be quick witted too and think fast off your feet. Never try to sell yourself as someone who has certain skills when you don’t. You may be in a situation where you need to think fast to get out of it. For example you get stopped by a security guard. What are you gonna say to him ? Are you just going to give up? What story will be good enough so he lets you go on your way?

The first tool that you should always have is a mobile phone this is one of the best tools ever in Social Engineering. The good thing about us humans is that we are either really nice people or not confident enough to interrupt someone on the phone, as that would just be so rude. Speaking on the phone whilst walking into a building or hanging outside a RFID door on the phone waiting for a kind soul to hold the door open for us is just so easy. This pretty much works all of the time and it is really effective.

I tend to carry lock picks with me at all times but I very rarely used them, but the one time I might need them it’s better to have them than not.

A good business card will sell you like nothing else it’s easy to get cheap business cards printed these days and they are a great way to backup any story you are trying to sell. Another good tip is if you can get a business card for someone who works at the company you are doing the Social Engineering attack against you might be able to go to another location and sell yourself as being that person who works for the company.

SET Social Engineering toolkit is a great tool that works well with the teensy device. Depending on your scope you can always use this to drop USB around the company and there a good chance that someone will plug it in and run the exploit on the USB.

If you are doing a Social Engineering attack and you know they use RFID doors you can buy a RDIF card off of Ebay even though it won’t work but when people see it, you can just say your card has been playing up and you need to get it sorted. Most people will see the card and just let you in.

These are just a few hints and tips when doing Social Engineering.

Web app tools

I wanted to write down what tools I tend to use in every web app test so here are the most common tools I use.

  • Firefox – plugins foxy proxy,tampa data,
  • Google Chrome
  • Burpsuit
  • SQLmap
  • Hoppy
  • Nikto
  • sslScan

I tend to use firefox as my main testing browser this is because it had lots of plugins that make life easy and also does not have a built in feature like xss filtering like chrome. I then use Google chrome as another web browser that allows me to search and use the internet without having any of the search results show up in burpsuit or any other tools.

Burpsuit is the main tool I use, simply put it’s the best one to use. It has loads of features and if you have the pro version you can sometimes identify low hanging fruit. It allows you to scan the site, intercept requests and modify paramaters. You can use tampa data to modify requests but burpsuit has many more features that really does make life easier.

The next tool is sqlmap. I use this then when I need it, mainly if I identify an sql injection point. This allows me to easy dump the database without knowing every sql statement off by heart.

Hoppy and Nikto I tend to run after each other to try and gather more information about the web application. Hoppy is a fansatic little tool written in python and is a http options prober which checks the availability of http methods as well as probing them to see if they can be forced to disclose system information. Nikto again tries to identify directories and other information about the web applications. On many occasions it has helped me to find Webdav directories which allows me to upload contents to the site.

Last but not least sslscan, this is great to determine the ciphers that are supported on a website. It identifes if it’s using sslv1 or sslv2 as well as if it is using encryption equal too or greater than 128b.

So what do you think am I missing? Anything you would add to the list? Most of the tools are free apart from burpsuit but you can get a free version of that too.

BSidesLondon

Yesterday I attended my first ever BSidesLondon event at the Barbican Center. I arrived at the venue around 8 o’clock and signed in to get my name badge. The BSide team were still setting things up but around 8.30am we were allowed to enter, getting a wrist band, a free t shirt and other promotional goods in a bag. There were a nice mixture of hot and cold drinks as well as fruit and croissants to eat, until the event really kicked off at 9am. The venue had three rooms that were hired out, it was short trip to reach track three, an okay trip to reach track two, but a really long trip to reach track one. I planed my day before I went and knew which talks I really wanted to attend and was lucky that most were in track two.

The first talk I attended was the one by Robin Wood who is a senior security engineer at RandomStore, he gave an excellent talk on how to break into security and also had some stats. Robin had surveyed over 300 professionals to ask them some common questions that all newbies trying to break into security would want answered. For example ‘What certificates are worth doing?’ ‘Do you need to code?’ and so on. This was a really good talk, with Robin making loads of valid points and the results from his survey helped to answer some of the most common questions that I have been asked and I would recommended checking them out.


The second talk I attended was based on social Engineering by Ian Maxted who works as security consultant for Encryption. This covered everything you would expect from a Social Engineer talk. What it is, how to implement it, as well as why companies should get social engineering done.

The next talk I wanted to see was mapping the penetration tester mind 0 to root in 60 minutes but the speaker was not found so another speaker had to step in to talk about randomization. This was a really interesting talk and if have you attended 4420 you may have heard this talk before. The talk was based on how random functions work and how they should be implemented correctly. It was really technical and Maths based.

The last talk I attended before lunch was by Robert McArdle who is a manager of Trend Micro’s. This talk was based on some cool new features of HTML 5 as well as how we can use the good features for bad. This was a really cool talk with loads of new interesting attack vectors in HTML, it discussed how if you are using black list to prevent XSS attacks how HTML has new tags that won’t yet be black listed, so it could leave your site open to XSS. It also mentioned how you can infect browsers and how antivirus software would not pick it up. Overall this was my second favourite talk and I hope to look into HTML 5 soon and post links to slides once they are out.

Then it was lunch time, during the day there were also breaks but at lunch you could go and network. Also a bag was provided that contained a sandwich,drink,mints,crisps and a fortune cookie. I planned on meetings loads of people at BSidesLondon who I knew from talking to online. One of the biggest problems I found were trying to find them, the name badges were pretty small and I didn’t want to just go and stare at someone. So a lot of people I was hoping to meet and talk to I didn’t really get to meet.

After lunch I was undecided with what I wanted to go and see as I had a meeting setup with the awesome CV clinic. I decided to go and see Gavin Ewan talk on a sales guide to social engineering. Social engineering is a cool topic and one that I am really interested in. Gavin decided to talk more about how to read people and influence their decisions. All the aspects he was talking about, were taught to me when working for a big UK retailer so it was interesting to hear and see the same techniques that were taught to me being used in a different environment. This by far was my favourite talk as it was interesting but funny too. Sadly I had to leave a bit early to attend my CV clinic appointment.

The CV clinic was run by staff from KPMG and I must say they were super, giving me loads of good advice and tips on sorting out my CV. I thought I had a perfect CV but they did rip it apart making loads of really good points. I was with Susan for about an hour and the help and advice she gave me I know will help me and I can’t thank her enough.

After I got my CV sorted I got to network again which meant I got a chance to speak to a few people I already knew, so that was cool to catch up, by the end of this time, I was so tired so I decided to leave and travel home.

Overall this was a wicked event, there were loads of great talks and freebies flying about all over the place. I can thank the staff, sponsors and talkers enough without their time and money the event would not be possible. I would recommend that more companies should get involved and support BSidesLondon.

Links to slides
escalating privileges on common web apps
webapp exploit payload
web app testing without permission
wep app demo

Links to Video
Posted in Security Blog

Dictionaries and Wordlist

I have cracked many passwords and the key to doing so is having a good word list or dictionaries and the skill to use the right word list at the given time. I think most people see word lists and dictionaries as the same thing, I tend to look at them as being word lists which are just a list of words that can be mixed with numbers and other symbols, where as a dictionary is words you would find in an English dictionary with no numbers or other symbols appended to them. I have seen a lot of word lists that are a mixture of both so I can see why people would think they are the same thing.

I create a lot of my own word lists depending on what I am trying to crack. I want to try to gain access as quickly as I can, so I don’t waste my time just running a big word list at given hashes. I try and get a more custom word list thinking about the company locations and the employers in the company. A example of this would be that company A is located in Manchester, so I would then make a word list based on this. So I might have football teams,players names, local attractions, any dates in history and so on. The aim would be to try and gain access to an account as soon as I can, if this failed I would then try a bigger word list like an English dictionary. If I still had no luck I would move onto a really big word list of common passwords like rockyou.txt If after all this I still did not have a login I would then try to use some kore logic rules with John the Ripper to try and mangle the password list. I would hope after doing this I should have gained access to at least one account and then from this I can make progress.

Tips for creating a word list/Dictionary

  • Merged each ‘collection’ into one file (minus the ‘readmes’ files)
  • Removed leading & trailing spaces & tabs
  • Converted all ‘new lines’ to ‘Unix’ format
  • Removed non-printable characters
  • Removed HTML tags (Complete and common incomplete tags)
  • Removed (common domains) email addresses
  • Removed duplicate entries
  • Split into two parts – ‘Single or two words’ and ‘multiple spaces’.
  • Sorted by the amount of times the word was duplicated – Therefore higher up the list, the more common the word is.
  • Sorted again by ‘in-case sensitive A-Z’.
  • Joined back together – Single or two words at the start.

Links to word list/Dictionary
skullsecurity
kismac wordlist
hashcrack
packetstormsecurity
0×80
dictionary-thesaurus
outpost9
openwall JTR
word list on Wikipedia
isdpodcast

John the Ripper Rules
Korelogic rules

Tips and links from g0tmi1k website

Nessus

This is another short video that I done on Nessus about a year ago but thougth I would add it as maybe useful for someone.

This is a short video I done about a year ago on Nessus

Security events around the world

Security Events Around the World

There are many security events that are run around the world I have mainly listed the most common in the USA and most in Europe.(New Dates will be added once anounced)

UK Events 44Con London RSA Europe

USA Defcon 19 Black Hat Training: July 21 – 24 Briefings: July 25 – 26 BSides

Paris Nuit Du Hack

Netherlands DIMVA Black Hat Europe March 14 – 16, 2012

Spain HYPERLINK “http://www.sourceconference.com/barcelona/”Source Barcelona

Brussel BruCon

If you are intrested in other Events around the world check out Ethical Hacker Network Calendar