Wednesday, August 22, 2012

#Security question du jour

Why does the ‘runas’ command fail to work properly on Windows when within a command shell?

The “runas” Command

 The runas command is a useful command that allows a user to run a command as another user (typically a privileged user, such as administrator) by providing the password when prompted:

                runas /u:administrator delete file.txt

In a command shell this will not work as the penetration tester is never prompted for the password.  To circumvent this issue, it’s possible to use the “schtasks” or “at” command to run the command at a short time in the future as the specified user.  One caveat to this is that the command shell has to have administrative or SYSTEM privileges to work.

Command shell access on Windows targets can have many pitfalls.  

A command shell is not the same as Terminal Access. Hitting CTRL-C while inside a command shell over a netcat connection will cause the netcat connection to drop.  This is the case with Windows targets as well.  

If you have gained shell access on a Windows system by launching a netcat listener on the Winows target system and interacting with it using a netcat client you will be in a command shell and not in Terminal access (as you would be with a Telnet session).

Command Shell access should not be confused with the use of the Windows Command Processor (cmd.exe). Command line and command shell are oft confused terms.

Sunday, August 19, 2012

#Security Quiz

Quick #Security Quiz (Friday 16th Aug 2012):

What are the major differences between terminal access and a command shell?


Command Shell vs. Terminal Access

Many times, and exploit will leave the penetration tester with command shell access on the target computer.  It is easy think that a command shell is the same as access when you telnet or SSH to a system.  This is not the case.  Terminal access such as telnet or SSH has intelligence built into the clients that take care of things like authentication, screen formatting, handling of special characters and the like.  Command shells are essentially raw standard input and standard output, which means that it has no way of handling these conditions, which will cause a penetration tester issues in certain situations.

Control key sequences are also a problem with command shells.  For example, it is typical to use CTRL-C to interrupt an executing command, but if this is done in a shell inside of a netcat connection, the netcat connection will drop.  This can be a major problem is a lot of time and effort was expended to get command shell on the target.  Similarly, CTRL-Z, CTRL-D and others cause similar problems.  A penetration tester has to be very careful when executing commands.

Tuesday, August 14, 2012

#Security Question du jour

Now, it is a given that it is always possible to write to a device on Linux if you have sufficient privileges. 

Given that statement, what is the purpose of the read-only option in the mount command then and does it do anything?


"mount -o ro /dev/hdc /tmp/hdd_c"

The Answer:

It is always possible to write to the physical device if you have the right permissions and Linux or UNIX system. An example would be writing to the /dev/hdc physical drive. When you mount a drive on Linux, the mount point that you set it to can be configured to be read-only. The important thing to remember is not to write to the physical drive and only use the read-only mounted partition. Just because functionality is there does not mean you need to use it. Like everything in a forensic assignment, take due care and record directions.

Tuesday, August 7, 2012

# Security question du jour


How does an attacker determine what Client-Side Programs in Use at the target so they can launch an exploit?

An attacker can use any of the following to determine which client side applications are in use:

·         Ask target personnel – personnel in charge of the client machines to divulge what client-side software are running. Creating a checklist is recommended.
·         Analyse metadata from any available documents recently produced by the target organisation
·         Ask target personnel to surf the testing systems to gain useful insight – some tools such as Metasploit can be used. Metasploit’s “Browser Autopwn” configures Metasploit as a web server. When a browser surfs to it, Metasploit consults the User-Agent string and also sends JavaScript to pull information from the browser.
·         Guess – Most organisations are running Microsoft Office, Adobe Acrobat reader, java Run-Time Environment, etc.
Other ways also exist.

#Security Question du jour

The Question:

Which tool supports the use of a specialized IP Traceroute message described in RFC1393.

The Answer:

Layer Four Traceroute (LFT)

LFT is another flexible traceroute tool that helps you get away from the reliance on UDP and ICMP constraints within Unix/Linux traceroute and Windows Tracert.  Though UDP and ICMP are supported with the use of command-line flags, LFT uses TCP probes by default.  LFT also allows you to pick the destination port of the probe, which allows the penetration tester to leverage common protocols that are typically allows on a network such as HTTP or HTTPS, TCP 80 and 443 respectively). 

Another feature is the ability to choose a source port which will also aid in evading network port filtering measures by using typically allowed source ports.  As an example, it’s typical for networks to allow traffic from UDP port 53 to allow responses to DNS requests.  By leveraging this and setting your source port to UDP 53, your probes may be allowed into the network.

Lastly, LFT supports the use of a specialized IP Traceroute message described in RFC1393.  Routers that support this functionality will respond with a special ICMP response that contains the hop count from the source of the probe, making it more efficient.  The downside of this method is that many routers do not support this functionality or have it blocked or disabled, making its usefulness limited.


Saturday, August 4, 2012

#Security Question du jour:


Which attack sends packets with the victim’s IP address as both the source and destination?

The Land attack is a DoS attack where the attacker sends a victim numerous SYN packets that have been spoofed to use the same source and destination IP address and port number as the victim’s.

This leaves the victim system to analyse a packet that appears as one it has sent as a TCP/IP session-opening a packet to itself.

See the following for more details:
Which software development life cycle model allows for multiple iterations of the development process, resulting in multiple prototypes, each produced according to a complete design and testing process?

What are the stages of this model?

A. Software Capability Maturity Model
B. Waterfall model
C. Development cycle
D. Spiral model

The answer:
D. The spiral model allows developers to repeat iterations of another life cycle model (such as the waterfall model) to produce a number of fully tested prototypes.

The Spiral Model is an alternative life cycle model to the Waterfall that allows for multiple iterations of a waterfall-style process.

The spiral model encapsulates a number of iterations of the waterfall model making it a metamodel, or a “model of models.”

Each “loop” of the spiral results in the development of a new system prototype.

System developers would apply the entire waterfall process to the development of each prototype, thereby incrementally working toward a mature system that incorporates all of the functional requirements in a fully validated fashion.

Boehm’s spiral model was developed as it acts as a solution to the major criticism of the waterfall model in providing developers with a method that can be used to jump back into the planning stages of the software design project as and when the changing technical demands and customer requirements necessitate the evolution of a system.
image:Spiral model.gif

For more see: