Navigation
Next Steps
This form does not yet contain any fields.
    IT Security Incident DB, Australia/NZ

    News

    This page is a list of items that are related to HackLabs and the work we perform.

    NB: HackLabs is a Security Consulting Company specialising in Penetration Testing. We perform testing for our clients whom are from all around the world.

     

    Entries by HackLabs (10)

    Monday
    Mar192012

    The Search for RDP Hosts (ms12-020) MS SBS Server.

    With a sudden surge in people scanning for RDP ports that are exposed to the internet, one can assume they are building lists of possibly vulnerable hosts waiting for the chance to spring once exploit code comes on board. This of course got me thinking about profiling people most likely running RDP. Several people have been portscanning TCP 3389 but a quick list method is much easier.

    Microsoft Small Business Server = RDP Pain. I came to his conclusion as;

    It's designed to run all critical and sensitive data on one server

    • Has an internet facing design touted by MS
    • Core of most SMB's operations
    • Slower to patch the server possibly, given the liklihood to not have a dedicated IT team.
    • There is 6,000 of them indexed by Google.

    Thats right "Google Dorking" for inurl:/Remote/logon.aspx gives a little over 6,000 entries. Which is a nice way to start a list of vulnerable hosts.

    Please go patch your SBS Server.

    Wednesday
    Aug242011

    Research - Apache DoS Exploit, Partial Content 

    During the weekend Kingcope released an exploit "Apache Killer" for Apache Web Servers on the Full Disclosure message board. The vulnerability takes advantage of a feature called "Partial Content" that allows Apache Sites which support it, to be DoS in many cases. 

    Apache Killer works by sending partial content requests to Apache httpd. These requests cause the daemon to swap memory to the filesystem, and with enough requests, exhausts the server of its resources.

    We did some testing for some of our customers and confirmed that it worked very well with little resources (3G connection was used during the testing to DoS a site).

    We edited the exploit script and removed the DoS payload and then used it determine how many sites could be affected.  By running this across the Alexa Top 1000 sites for Australia we identified that 91 were possibly vulnerable. Similarly on the ASX 200 List 26 organisations were likely to be vulnerable.

    To mitigate against this in one instance where no other controls were possible (As in a shared hosting environment) an IP tables rule was used to defend against it. However any firewall, WAF or IPS could be configured to prevent this attack.

    To test your susceptibility to this attack you could run curl with the following to determine if Partial Content is supported on your Apache Site;

    curl -H "Range:bytes=1-" -I http://target.com | grep Partial

    A patch for adding support to turn off Partial Content was also found here with a quick google 

    http://wejn.org/stuff/apache-partial-content-new.diff.html

    Also someone else has posted this video of the DoS in action (albeit in a test environment)

    http://www.youtube.com/watch?v=fkCQZaVjBhA


     

    Tuesday
    Nov022010

    Writing Firesheep Scripts

    A lot has been written about Firesheep and whilst I have provided some commentary on it myself. There wasn't much mentioned on that it relies on specific scripts tailored for the site's in which it targets. Curious I had a quick play and wrote up a couple of scripts for some Australian Sites I have used.

    NB:All of the ones I tested used HTTP for the sign in process which was the default setting, Some offered HTTPS but as an additional link to click.

    It's a pretty straight forward process;

    1) Identify the correct domain 

    2) List the cookies sent as part of the session (Normally the ones sent to you after you have authenticated)

    3) Identify the section of the page in which the user name is displayed

    4) modify the (identifyUser: function). For the sites I looked at it meant I had to change "this.userName   = resp.body.querySelector('changeme').innerHTML;

    The changeme value above has to reference where the username value is. So for Whirlpool for example the page source snippet looks like this;

     

     

    The username is referenced as the following within the script;  

    this.userName = resp.body.querySelector('dl.userinfo span').innerHTML; 

    One thing I did notice when running Firesheep was the number of third party connectors that sites were running. As these were linked from the news site I was viewing they automatically connected back over HTTP to the service.

    In one example it had a bit.ly bookmark extension and a facebook connector. If you had an open session in another window or opted to keep yourself logged in by checking a box (which I guess many users might do) it would connect back and expose the session cookies and hence appear in Firesheep.

    I don't condone illegal activity and have provided the above information for people to evaluate their own applications or the applications they legitimately have access to. 

    The following firesheep scripts were written with help from RD (Thanks Mate).

    Whirlpool Optus Seek

    Wednesday
    Jun162010

    Presentation: Social Media Abuse

    This was a presentation that Chris Gatford gave at the Internet Events Seminar on Social Media.

    Wednesday
    Feb032010

    Interview: Advice for Small Businesses IT Security

    Often HackLabs are asked how do I secure my small business? or what are the key tasks I can perform to secure my small business/Family PC.

    Recently HackLabs was interviewed on ABC Radio. Chris has posted a blog entry with some of the advice and information mentioned in the interview.

    Small Business Security Advice