tag

In my last post I showed how to use Selenium to make complex brute force attacks easier. I showed a very basic and quick example against my website. Here is an even shorter post on how to mitigate the attack using the mod_security Apache module. I won’t cover how to install it or configure it, but just show the rules I am using to detect and respond to a similar brute force attack. It works reasonably well, although I must admit I haven’t done extensive testing with these rules.

I don’t want to be blocked forever just in case I did something dumb, so I setup the rules to only blacklist a particular IP address for only five minutes. You can definitely play with the timing and number of failed login attempts required to trigger the filter. The way it is setup, it will block an IP address from accessing only the login page (the rest of the site is still available) if that IP address fails 15 times in three minutes. The block lasts for five minutes, and is then reset.

Before showing you the rules a brief explanation is in order. Mod_security allows rules to work off of persistent storage. There are a defined number of collections, and within them you can set a variable and a value. There are a few features that allow you to either deprecate the count of a numeric variable over time, or to expire it completely after a specified timeframe. Unfortunately, these variables work in an unexpected way. I initially setup my rules to set a block variable (IP.bf_blocked) in the IP collection once a certain threshold had been reached, and the variable was set to expire in 5 minutes. Every time I accessed the site after triggering the rule, I was still blocked. I kept asking why aren’t my modsecurity expirevar values being honored? Frustrating!

So after furious searching and trying to figure out what was happening, I finally found a post here that explains the problem . . . “The reason for this is how ModSecurity handles expiry timers for variables. Basically, every time a collection is updated, the LAST_UPDATE_TIME timestamp for that collection gets set to the current time. Since we increment the request_count variable for every request, this will monotonically increase.”

Okay, that makes sense. The examples they provide are pretty good, but there are a couple of errors in the rules that mean they don’t work right. Anyways, based on that information and some testing here is what I came up with for the wordpress login page: Continue reading »

There is a uptick in brute force attacks as related to web applications. The Web Hacking Incident Database keeps track of many attacks, and compiles the results; they show that insufficient anti-automation (which includes DoS attacks, but I won’t be covering that today) are the number one cause of web site incidents.

Using brute force methods are an old standby, and many of the attack proxies offer fantastic brute force abilities. But I always find myself wanting more control, the ability to tweak things, and more intelligent functionality. Unfortunately most of these apps are pretty rigid in the actions they can perform–if the developer didn’t think of what you want to do you are out of luck. In these cases it isn’t so uncommon to find myself writing code in PERL, shell, PHP, Javascript, and whatever else I find I need to pull off a specific test case.

Some web apps are really complex, or occasionally someone even develops an application with good session management designed to resist attack. I recently came across an application that did just this. The login page invalidated the user’s session, and deleted the cookies each time the page was loaded (assuming a login failure.) In addition to this, it had CSRF protections in place, so the form had nonce values, which were tied to the session (no reuse.) If the session and nonce weren’t validated the application threw a security warning and didn’t process the attempted login. Performing a successful brute force attack against this setup poses a few challenges. And neither ZAP nor Burpsuite were meeting my needs (still love em though.)

This is where Selenium comes in very useful. Selenium is a test framework, mostly used by developers and QA test folks. It has very good potential for pen-testing too. It is designed so that you can create a customized brute force attack script in just minutes, that would have otherwise taken hours to accomplish. It runs it through a full featured web browser (usually FireFox, but has other hooks too) so that stuff like tracking application state, nonces, sessions, properly setting referrers and the myriad other crazy dependencies that can arise in a complex web application are handled seamlessly. Basically it allows you to automate a web browser.

I’ll give a quick demo on BackTrack Linux (Ubuntu based.) Here is the overview: Continue reading »

I’ll be honest, I’m not a big fan of the Windows DNS service. There are cases where an organization might want to use the Windows DNS service as a primary for their Internet facing zones. I wanted to see how DNSSEC was setup on Windows and if Bind 9 could slave off of it. Turns out it works fine. This is the second of two posts on DNSSEC, the first post can be viewed here and dealt with setting up a Bind 9 primary server with DNSSEC.

Most of what I did here is documented in the Microsoft DNSSEC guide. It’s really long and it took a lot of reading to figure out what really needed to be done. (tl;dr) It’s a good idea to have this document handy if you are working on this. Broken down, the process is roughly the same as Bind 9.

Build your zone files.
Create a KSK, and ZSK.
Sign the zone file.
Reconfigure DNS server to use the signed file.
Slave your other servers.
Send DS key to registrar
Test.

The Windows DNSSEC implementation has a few differences from Bind, first you can’t sign dynamic DNS zones (Bind can.) Otherwise it works almost the same, as long as you are willing to hand-edit the zone files (they are pretty much the same format as Bind, so if you know that it is dead simple.) I am not going to cover the maintenance of DNSSEC zones on Windows, basically the process is edit your source zone, increment the serial number, re-sign, and tell the service to reload the zone configuration. Easy enough.

Here’s the zone I’ll be working with . . .

First step is to create your Key Signing Key: Continue reading »

About once a year I take the time to read up on the latest in password cracking techniques, try them out, and decide if anything really warrants a change in my behavior. Well things have definitely heated up over the last couple of years.

Rainbow tables were the last big thing in password attacks. It’s a really interesting concept that trades time for storage. As you would expect, these things get really big, especially when you start talking about eight or more characters. Add in any level of complexity and you can see astronomical sizes, for example the NTLM tables for characters 1-8 including both upper and lower case, and numbers is 453gb. That’s almost double the limit for inbound data that Comcast allows in a month for their residential customers. Not only that, it would probably take about a month to download.

Still, it’s a neat hack, and since searching a rainbow table is super fast it will still be relevant for a long time. But something else has changed.

Enter the GPU. Graphics processors are designed in a significantly different fashion than a CPU. They can do a small set of very specific computational tasks extremely efficiently. If the task you have CAN be run on a GPU it will probably be significantly faster than if done on a normal CPU.

Let’s take for instance my humble test system. The CPU isn’t awful, but isn’t very speedy either. It’s an Intel Quad-core Q8200 2.33ghz which is rated at 37.28 GigaFlops. It was low-mid range range a few years ago and I recently put one of the lower end graphics cards in it. When I was shopping for a new card my only real requirement was to have a displayport connector so I could use my iMac as a monitor and not have to run Backtrack in a VM. I bought the cheapest card I could find with displayport, at the time a Radeon 5570. Yes, it’s ONLY a $65 graphics card. But, it’s capable of 520 GigaFLOPS (there are 400 processors on there.) Continue reading »

I have been reading about DNSSEC and decided to do some quick testing.

One of the questions I had was, what happens with slave nameservers? How does DNSSEC work with a slave? Does it need copies of keys? If my hosting provider is slaved off of me, and running Bind 9.x what extra steps need to be taken to enable DNSSEC. Well the answer to that turned out to be really simple. The slave servers don’t work any different than normal–all of the signing and key management is inside the zone file.

Setting up the signed zones isn’t really as hard as you might expect. There are a few concepts you have to understand:

DNSSEC relies on a chain of trust based on public key cryptography.
It uses encryption for validation, not privacy.
You will most likely use a couple of public/private keys, one for signing keys, and one for signing zones.
The parent zone must have information about your key signing key, this is done with a DS resource record, it’s just a hash of the key signing public key in a DNS record.
Why two keys? By using a key signing key and zone signing key, you can rotate the key used for signing the zone without having to notify your parent zone.

So setting it up goes something like this: Continue reading »

frameloss

Stopping Brute-force Logins Against WordPress

Selenium for Web App Pentesting

DNSSEC Continued . . . Windows 2008R2 as Primary

The GPU Killed the Password.

DNSSEC on Bind 9.7

Pages

Popular Posts

Categories

Recent Posts

Search