Tuesday, June 3, 2014

Security Model CISSP The Biba

Biba Model is the oppose to Bell-LaPadula model. the Biba Model focuses in integrity, this is very important for the commercial companies, they are very interested to keep the integrity of the data.

For example an accounting firm need to be sure that the company send a check for $1000.00 and not for $100000, oh man I would like to receive that money, LOL It is a big different. Now this is the idea for the Biba model.

Again, this info I got it from Shon Harris book, this is a good book for CISPP (if you really wants to know the details).

This is the cream for the Biba model:

  • *-integrity axiom: A subject "cannot write up"

  • Simple integrity axiom: A subject cannot "read down"

  • Invocation property: A subject cannot request service (invoke) of higher integrity.


Lets say another example: What happen if I would begin to write anything I think about Biba model, would be the information corrected, who knows, but in this case I am taking details from Shon Harris book then the integrity of the information is right, remember that.



Security Model CISSP Bell-LaPadula

Ok guys, to be a good pen tester we need to have some knowledge, and I've been working with CISSP and there are some point that we normally tend to forget. So here we go with Bell-LaPadula Model for CISSP.

This info I got it from the Shon Harris book - Good book, it has many details

Focus: Confidentiality

Bell-LaPadula --- named Multilevel Security System: because users with different clearances access the system or processes with different classification levels.

This is the cream, three rules:


  • Simple Security rule: subject with a security level cannot read data in a higher security level.

  • *-proterty rule (star property rule) : No write down to a lower security level.

  • Strong start property rule: Subject can only read and write in the same security level.

Dominance relation: The subject has more privileges or right that the object.

Tuesday, October 1, 2013

NMAP with Flags and kind of responds

Everybody who ever study for CEH and other books will always find information to do some stealth scan with some flags and what kind of respond, lets do some basic analysis with TCPDUMP. Yes, tcpdump Wireshark is good but we need to be familiar with other tools:

Different scan and responds:

  1. SYN - half open - with this we only send SYN packets to the machine without going with the complete handshake, it is like we only say: Hi - We expect a RST in close ports and SYN/ACK in open ports, mean when we say Hi (between lips without seen the other person they can say Hi too without seen us).
  2. TCP Connect - This run with the full TCP handshake, it is like we say: Hi and the other person response Hello and look us. This is more reliable because we get the confirmation that the port is open or close - We expect SYN/ACK and RST/ACK.
  3. FIN - This is the flag where we expect to close the communication but there was not any communication, in that moment the CLOSED port will answer RST (stop what are you talking about) and OPEN PORTS will ignore you because they KNOW we were not talking.
  4. XMAS - The famous Christmas scan (easy to remember the name), in this scan we send FIN, URG AND PSH all at once. We get the same respond like FIN:  in that moment the CLOSED port will answer RST (stop what are you talking about) and OPEN PORTS will ignore you because they KNOW we were not talking.
  5. ACK  scan use the ICMP, if the scan see Destination Unreachable message will show the if the port is open in the firewall.  Now with this the open port will tell you: Wait a Minute (RST) when we begin to talk. Close ports will ignore you because they are close.
  6. NULL scan is like XMAS but without anything, like just go to a office without saying anything, depending of the OS you will get an answer. Close ports will RST/ACK
Why this type of scan

This type OS scan will help us to find out if the port is open in the firewall and also can help us to avoid detection with the IDS/IPS or any other monitoring software.


Now lest see some examples.

SYN Scan

SYN - half open - with this we only send SYN packets to the machine without going with the complete handshake, it is like we only say: Hi - We expect a RST/ACK

We will scan a device with the port 22 open

root@jojo-pc:~# nmap -sS -p22 192.168.123.1

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-01 18:37 CDT
Nmap scan report for 192.168.123.1
Host is up (0.0038s latency).
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 50:3D:E5:3C:68:03 (Cisco Systems)




 Did you notice:

192.168.123.212  to 192.168.123.1 with Flag S (SYN)
192.168.123.1 to 192.168.123.212 with Flag S (SYN) and ACK -- PORT IS OPEN
192.168.123.212 to 192.168.123.1 with Flag F (FIN) - Close the connection

This was half open, the ip .1 wanted to do the full Handshake but we just close the connection with FIN.

We will scan a device with the port 23 close.

root@jojo-pc:~# nmap -sS -p25 192.168.1.1

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-01 23:11 CDT
Nmap scan report for router.Belkin (192.168.1.1)
Host is up (0.0018s latency).
PORT   STATE  SERVICE
25/tcp closed smtp
MAC Address: 08:86:3B:D2:F9:00 (Belkin International)




 Did you notice I got from the router I got the Flag R (Reset), why? Because the port is close in that firewall and there were not any communication, it is like the router tell us: Forget it, I ignore you.

TCP Connect

TCP Connect - This run with the full TCP handshake, it is like we say: Hi and the other person response Hello and look us. This is more reliable because we get the confirmation that the port is open or close - We expect SYN/ACK and RST/ACK. In other words the full handshake.

Scan to port 3389 open

root@jojo-pc:~# nmap -sT -p3389 192.168.1.100

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-01 23:18 CDT
Nmap scan report for 192.168.1.100
Host is up (0.0026s latency).
PORT     STATE SERVICE
3389/tcp open  ms-wbt-server
MAC Address: 00:15:17:13:2B:4C (Intel Corporate)



The full TCP handshake

Now close port, in this case we simulate port 3390, I expect RST, the port is closed.

root@jojo-pc:~# nmap -sT -p3390 192.168.1.100

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-01 23:21 CDT
Nmap scan report for 192.168.1.100
Host is up (0.0099s latency).
PORT     STATE  SERVICE
3390/tcp closed dsc
MAC Address: 00:15:17:13:2B:4C (Intel Corporate)


FIN scan

FIN - This is the flag where we expect to close the communication but there was not any communication, in that moment the CLOSED port will answer RST (stop what are you talking about) and OPEN PORTS will ignore you because they KNOW we were not talking - THIS IS ONLY FOR LINUX

I am scanning a port 5800 VNC, it is open but I am sending with the FIN flag,  I got nothing.

root@jojo-pc:~# nmap -sF -p5800 192.168.1.24

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-01 23:27 CDT
Nmap scan report for 192.168.1.24
Host is up (0.0026s latency).
PORT     STATE         SERVICE
5800/tcp open|filtered vnc-http




If I send to a close port I got RESET, mean it is closed.

root@jojo-pc:~# nmap -sF -p5820 192.168.1.24

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-01 23:30 CDT
Nmap scan report for 192.168.1.24
Host is up (0.0033s latency).
PORT     STATE  SERVICE
5820/tcp closed unknown



This could be long blog, just keep testing and testing until you see the flags, it is a good learning process and you will be able to know what to expect with the scan.

Remember, if you have deep knowledge of your target you are increasing your success to own the box, patience is the key.



Monday, September 30, 2013

NMAP Protocol scan results

I am no sure about you guys but studying the NMAP Protocols scan results some times is very confusing.

This is the list of the normal respond recognize for NMAP:

Code 0 - Network Unreachable
Code 1 - Host Unreachable
Code 2 - Protocol Unreachable
Code 3 - Port Unreachable
Code 13 - Communication Administratively Prohibited

Let me give you some examples:

Code 0 - Network Unreachable

 nmap 192.168.14.1


Did you notice Type 13 Code: 0 , I could not reach the network 192.168.14.0 because there is not any route in my firewall to that network and it is not routed through internet.

Code 2 - Protocol Unreachable

In this occasion I will try to scan to a host that doesn't reply to ICMP in internet and we will get two different response, very interesting:

nmap 97.74.215.229


Did you notice Code 2 (Protocol unreachable)

Now at the same time we get this Type 3 Code 13 (Communication Administratively filtered)


Keep testing, nmap and Wireshark and applying filters using ICMP and you will get the types and codes, after you keep testing this will become familiar with you and you will begin to go deep with protocols, and remember the packet never lies.


Monday, August 5, 2013

HTTP Commands for Banner Grabbing

This is a short list of commands for banner grabbing from a Windows web server, you will need to type enter twice after the command

1. Connect using telnet and type: HEAD / HTTP/1.0

telnet www.test.com 80

Trying 10.10.10.10...
Connected to www.test.com.
Escape character is '^]'.
HEAD / HTTP/1.0


  HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 1777
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDACBATBQQ=MJOLBPPDBKPANIAKDMLCEOHF; path=/
X-Powered-By: ASP.NET
Date: Tue, 06 Aug 2013 03:42:18 GMT
Connection: close
Connection closed by foreign host.


2. Let's try the option command, I like this: OPTIONS / HTTP/1.0


Trying 10.10.10.10...
Connected to www.test.com.
Escape character is '^]'.
OPTIONS / HTTP/1.0

HTTP/1.1 200 OK
Allow: OPTIONS, TRACE, GET, HEAD, POST
Server: Microsoft-IIS/7.0
Public: OPTIONS, TRACE, GET, HEAD, POST
X-Powered-By: ASP.NET
Date: Tue, 06 Aug 2013 03:47:39 GMT
Connection: close
Content-Length: 0
Connection closed by foreign host.


What happen if I type wrong commands or lower case letters?:

Trying 10.10.10.10...
Connected to www.test.com.
Escape character is '^]'.

options / http/1.0      ---- I typed lower case

HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Tue, 06 Aug 2013 03:50:08 GMT
Connection: close
Content-Length: 311
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request</h2>
<hr><p>HTTP Error 400. The request is badly formed.</p>
</BODY></HTML>
Connection closed by foreign host.

Sunday, May 19, 2013

How to enable Desktop Sharing in Kali

I have my own pentest lab, I installed a second copy of Kali in Hyper-V to keep running any dictionary attack, directory or files enumeration in a web server, etc, etc. Sure using Kali over Hyper-V is a little slow, so I enabled Desktop Sharing.

So let's have fun:

Open Applications > Internet > Desktop Sharing



 When you open it you will find different options, sure the first thing I recommend is: Require the user to enter this password: ************    You do not want to leave it in blank and somebody take your hacking machine and begin to use it illegally, no.

In my case I selected the following options, you can desire the ones you desire. Look!!! I cleared the option you must confirm each access to this machine, why? Because I am not over the Hypver-V and I will be accessing from my laptop.




Now you will need to download VNC viewer and try to connect from any Windows/Linux (GUI) machine:














 From there you can do what ever you want, second machine is good, because allow you to run tools that require time and processor without slowing down your main laptop/computer.

Happy hacking fun.



Saturday, May 18, 2013

Where are the password or word list in Kali

Last night I was looking for how to enumarate the list of directories in a web site, I was using Kali, normally in Back Track you look for in the /pentest folder and from there the right tool. Kali is a little different:

Location:

/usr/share

check the list 




Now let's see dirbuster: go to cd /usr/share/dirbuster and run ls -l 




Go inside of wordlists: cd wordlists and run ls -l again, you will find the directory list.




This is only for Dirbuster, now go to: /usr/share/wordlists and run ls -l again:



Keep going in the folder /usr/share and you will find your wordlist or list for your tools, happy hacking, remember only in your lab or with permission.