Python has rapidly become a popular language for security professionals. It’s human readable with an easy syntax, has a comprehensive standard library and easily importable external libraries, is multi-platform, and is suitable for both larger programs and smaller scripts alike. Python is easy to learn for novice programmers yet robust enough for seasoned developers. What makes it such an effective tool for security professionals is the support of extensive libraries specifically designed for penetration testing. For that reason, it makes perfect sense for the SANS Institute to add SEC573 Python for Penetration Testers to their vast list of InfoSec courses.
“SANS SEC573 Python for Penetration Testers” is a five-day class that teaches the basics of the Python language then builds on that knowledge to show how to utilize its specialized libraries to perform network capture and analysis, SQL injection, Metasploit integration, password guessing and much more. You also learn how to use Python to create an encoded backdoor to evade IDS and antivirus controls. This article presents an extensive day-by-day review of the in-person course taught by Mark Baggett, the author of SANS Python for Penetration Testers course and the pyWars gaming environment.
Ever since the Internet took off from its humble beginnings as a simple connection between the two networks of UCLA and Stanford for educational purposes, it has increasingly been used by the global population as a means of communication, commerce, charity and much more. The myriad ways of utilizing the Internet backbone all require software engineering of web-enabled applications (webapps). A new product from High-Tech Bridge SA called ImmuniWeb® performs webapp security assessments. If you’re like me, you’re probably thinking that this is just another webapp vulnerability scanner but hang on! It provides an innovative hybrid approach along with some really creative additional modules for assessing security beyond just the webapp. Why would we need such a hybrid approach?
Critical systems are being moved to the Internet by every industry, each of which now requires diligence to ensure their own existence. Education uses the Internet to evolve learning platforms and make enrollment more efficient. The media industry uses the Internet for everything from personal blogs to content delivery of every type. Commercial industry utilizes it from customer service to revenue collection. Banking from account management to funds transfer. Communication from voice and data. Government is using technology to… well let’s not turn this into a political argument. Let’s just take a detailed look at this unique new offering and how it can help the security posture of your entire organization regardless of the industry to which you belong.
WordPress is by far the most popular Content Management System (CMS) in the world today. According to W3 Techs, “WordPress is used by 58.2% of all the websites whose content management system we know. This is 18.6% of all websites.” As with most modern, popular CMSs, the WordPress application itself is hardened and secure out of the box. But to get all of the cool ‘stuff’ to make your site memorable and engaging, WordPress site owners often use 10 – 20 plugins for each installation. As of July 2013, WordPress.org lists 25,700 plugins with more than 475 million downloads, and that doesn’t include those outside of the WordPress repository. It’s these third party plugins that leave a tight framework vulnerable to exploitation and attempts at hacking WordPress common. Many installed plugins remain unpatched or overlooked, and even those not activated through the WordPress Dashboard provide an excellent attack surface. With shared hosting plans and consolidated corporate data centers, it is more often than not that your instance of WordPress is not the only web application residing on your server.
For the sake of brevity, I won’t “beat a dead horse” and talk about why Cross-Site Scripting (XSS) is dangerous. There still is some confusion surrounding XSS and its role in network breaches, how it is used, and how it can be utilized over and over to do the same thing. An attacker cannot leverage an XSS flaw to directly “hack” into a server. Instead, by chaining vulnerabilities together and socially engineering personnel, an attacker can move from XSS to an internal compromise fairly quickly. This tutorial shows how hacking WordPress with a simple XSS flaw can be crafted into a vehicle to intrude on internal networks.
Shrinking budgets and geographical diversity are pushing educational trends out of the classroom and into online learning opportunities. But, hands-on training and skills evaluation is a trickier problem to solve in that paradigm. Information Security training is no exception. Yet, many students seeking training in Information Security face barriers of entry involving their prior knowledge, and how to get it. Many offerings assume a level of proficiency above what a beginner may have, especially one who has not already worked in Information Security. To add to the beginner’s frustration, most training organizations don’t offer the background learning necessary to get to that level. Enter the eLearnSecurity (eLS) Penetration Testing Student course.
The eLearnSecurity Penetration Testing Student v2 course addresses the need for online, hands-on education for the beginner. The flexible and self-paced, browser-accessible online course teaches basic foundational concepts for students who wish to enter the field of penetration testing while allowing hands-on application through the Hera Student Lab and, optionally, the Coliseum Web Application Testing Framework. The course provides an ordered and appropriately broad basic introduction into foundational concepts for the beginner. While this course alone will not produce a qualified penetration tester, it provides a guided hands-on opportunity to become familiar with some of the basic concepts. It is effective for those who are exploring the possibility of penetration testing as a career path, or for those who simply want to know more about what penetration testers are capable of doing.
By Robert J. Shaker II, CISSP, CCSK, CGEIT, CRISC
Since the dawn of man there has been intelligence. Hunter gatherers would venture out and learn from the world around them what each sound, smell, and taste meant. The growl of a large predator would alert them to prepare for a defensive effort or to change paths. The smell of smoke meant other humans were nearby, and the taste of bitter meant something wasn’t edible. As time marched forward, needing to learn more about the other packs of humans around them became more important. There was competition or cooperation for resources but this required getting to know the other pack. Sometimes the best way to do that was to spy on them, to gather human intel about the way they behaved, the way they interacted with each other and to determine how strong or weak they were.
Regardless of the point in history, this has always proven to be true. We can see it as we progress through our modern era. In fact, this became so important that commercial intelligence companies began forming. The Age of Exploration saw a boom in this industry as the colonial armies grew. Their need for intelligence required outside parties, whether to help with the sheer volume of work, geographic disbursement or to give plausible deniability. Is it so different now?
Today, we are up against countless adversaries. They’re nameless, faceless and shrouded behind false information. The ships that are on the horizon, the spies in our midst and the fortress we protect are all in the digital domain. The virtual skies are foggy and visibility is low. Today’s environment is much more difficult to navigate. The one commonality between these two vastly different times is the importance of human intel, and I’d argue that today it’s even more important than ever. A couple scenarios below will illustrate just how important it is for our innately human talents to remain a vital part of cyber security.
By Todd Kendall
Security professionals are often tasked with the unenviable position of wading through millions of bits of data, the review of thousands of systems, or the evaluation of hundreds of applications. At the end of the day it is their job to provide the ten thousand foot view of an organization and the highest rated findings that put it at risk. Information overload is a common theme in today’s society, and management requires the presentation of this material in a digestible manner of typically one page or less. The ability to provide this service requires what is often referred to as “seeing the forest for the trees.” In other words, don’t get distracted or bogged down by the minutiae of your discoveries at the risk of overlooking the big picture.
When it comes to computer forensics, however, the tables are flipped. When an event turns into an incident and management must answer to a board or the company’s shareholders, the ten thousand foot level is no longer adequate. At this point, every packet that ever crossed your company’s domain becomes suspect, and expectations are set whereby the answers to the questions such as, how did it happen, what damage did it do, where did it come from, when exactly did it occur, and who did it, requires the puzzle to be unraveled and presented in such excruciating detail it would make Melville take up skim-reading.
By Todd Kendall
It seems pertinent during this time of year, as I finish off the last batch of left over Christmas cookies, some peppermint bark, and a large glass of eggnog, to talk about a phenomenon known as the sugar high. I’m talking about the high one gets after consuming large amounts of sugar, also called a “sugar rush.” Sugar highs cause twitchiness, spasms, and hyper excitability. Sugar highs do not last very long and leave a person feeling drained afterwards.1
As an IT Security Consultant I have had the opportunity to work with a variety of organizations over the years, often on multiple occasions and on multiple projects that stem from Security Policy Development, Gap Analysis, Penetration Testing, and in some cases Incident Response and Forensics. When you work with organizations in this capacity it is difficult not to develop personal relationships over time, and, as any good consultant will tell you, you want to gain a “trusted” relationship not only from an ethical point of view but also from a capitalist point of view. Let’s face it, more trust, means more business.
Like any relationship, you may find yourself in a position at some point where you simply have to tell the other party that they simply aren’t listening. Despite all of the times you have had the same conversation, and they swear up and down to take your advice.
By Thomas Wilhelm
I had a question the other day from a student at the Hacking Dojo who was interested in accessing a Windows system remotely through SMB. My initial response was to tell the student that it was similar to FTP, and they should conduct the same type of enumeration against SMB as they do anything else open on the system. Unfortunately, this did not help the student, because their hands-on experience on Windows file sharing was all done using GUI. It then dawned on me that, since I came from a Solaris background, I had a different experience. I would simply map the drives at the command line as a system / network administrator. Because of this, I decided to put together a quick tutorial for my students. Since there might be some additional confusion in the general populace of the security community, I thought getting it published on The Ethical Hacker Network would be beneficial. In a world where security awareness is rapidly increasing and your grandmother even has a secure wireless access point, one might imagine that admins without command line experience and open, anonymous SMB shares are a thing of the past… think again!
During a penetration test (pentest), it is natural to investigate FTP services within a network that allow anonymous access. It is possible that sensitive data is unintentionally placed on an FTP server by non-IT employees (for the sake of convenience) without knowing who else can access the material. During a pentest, I find these anonymous FTP systems quite frequently, and in some cases they serve up useful information. Now, if we compare FTP with system shares, we find that employees are quicker to allow anonymous access to their own files – all it takes is someone wanting access to some document another employee has on their system. In fact, sharing a single file makes it easier to maintain revisions than copying a file back and forth between an FTP server. While that is certainly convenient for the employees, it is obviously quite devastating for the organization’s security posture. So let’s take a look at SMB shares and how we can take advantage of them.