Tag: Cybersecurity Tips

  • Cool Tools Series: NMAP for Penetration Tests

    Cool Tools Series: NMAP for Penetration Tests

    In Scottie’s recent Cool Tools blog about discovery tools, he, like many network penetration testers, starts with Nmap. Nmap is a great discovery tool with many flags and scripts. In this post, I will expand upon Scottie’s ideas and delve more deeply into what Nmap has to offer, specifically for network penetration testing.

    Hosts Marked as Down When They Are Up

    If you find you have problems with Nmap flagging hosts as down, even though they should be up, I would recommend adding these flags to your command:

    • -PS – SYN ping scan. You can optionally add a port number after this.
    • PA – ACK ping scan. You can optionally add a port number after this.
    • -PE – Typical ICMP ping echo request, typically blocked by firewalls.
    • -PP – ICMP timestamp ping query, which can sometimes get around misconfigured firewalls.
    • -PM – ICMP subnet mask ping query, also good for evading misconfigured firewalls.
    • -PO -This issues an IP protocol ping, which seems to work a lot of times when other probes don’t.

    Putting that all together, my typical scans are now starting to look like this:

    sudo nmap -oA [output] -sSUV --unique --resolve-all -PS -PA -PE -PP -PM -PO -T4 -O -p T:-,U:53,161 -vv -iL [targets]

    Some other options present here:

    • -oA [output– Output in all file formats simultaneously.
    • -sSUV – Combo of -sS (TCP SYN scan), -sU (UDP scan), and -sV (service version scanning).
    • –unique – Scan each IP only once (e.g. if raxis.com resolves to 1.1.1.1, and both are targets, only scan 1.1.1.1 once).
    • –resolve-all – If an DNS name resolves to multiple IPs, scan each IP.
    • -T4 – Go a bit faster than default, recommended for modern networks (unless you’re trying to be quiet).
    • -O – Try to determine operating system.
    • -p T:-,U:53,161 – Scan all TCP ports as well as UDP ports 53 (DNS) and 161 (SNMP).
    • -vv – Be very verbose in output.
    • -iL [targets– Use the targets in the specified file.

    Additionally, when using -oA, if your scan gets interrupted, you can use this to resume the scan where it left off:

    nmap --resume

    The Nmap Scripting Engine

    The Nmap Scripting Engine (NSE) provides 604 scripts and 139 libraries at the time I’m writing this. That number grows each year, so, needless to say, this is a very useful tool for penetration testers or for blue teams checking out possible vulnerabilities in their systems. I’ll discuss some Useful NSE scripts here, and I encourage you to take a look to see if there are others that would be helpful for your needs.

    Shodan

    • Queries the Shodan API for the targets. Follow the instructions on the NSE site to setup a Shodan API key.
    nmap --script shodan-api [IP Range] -sn -Pn -n --script-args 'shodan-api.outfile=potato.csv,shodan-api.apikey=SHODANAPIKEY'
    nmap --script shodan-api --script-args 'shodan-api.target=[IP],shodan-api.apikey=SHODANAPIKEY'

    Server Message Block (SMB)

    • Check if SMB signing is disabled:
    nmap --script smb-security-mode -p445 [IP]

    File Shares

    • Attempt to enumerate SMB shares:
    nmap --script smb-enum-shares -p445 [IP]
    • Show NFS Shares (Exports):
    nmap -sV --script=nfs-showmount [IP List or Range]
    • Attempt to get useful information from NFS shares (mimics an -ls command):
    nmap -p 111 --script=nfs-ls [IP List or Range]
    nmap -sV --script=nfs-ls [IP List or Range]

    Databases

    • Attempts to find configuration and version info for a Microsoft SQL Server instance:
    nmap -p 445 --script ms-sql-info [IP]
    nmap -p 1433 --script ms-sql-info --script-args mssql.instance-port=1433 [IP]
    • Looks for MySQL servers with an empty password for root or anonymous:
    nmap -sV --script=mysql-empty-password [IP]

    Domain Name Server (DNS)

    • Perform DNS Cache Snooping:
    nmap -sU -p 53 --script dns-cache-snoop --script-args 'dns-cache-snoop.mode=timed,dns-cache-snoop.domains={host1,host2,host3}' [IP]
    • Checks DNS anti-spam and open proxy blacklists to see if an IP has been flagged:
    nmap --script dns-blacklist --script-args='dns-blacklist.ip=[IP]'
    nmap -sn [IP] --script dns-blacklist

    Virtual Private Network (VPN)

    • Checks if the host is vulnerable to the Cisco ASA SSL VPN Authentication Bypass Vulnerability:
    nmap -p 443 --script http-vuln-cve2014-2128 [IP]

    Network Time Protocol (NTP)

    • Shows an NTP server’s monitor data:
    sudo nmap -sU -pU:123 -Pn -n --script=ntp-monlist [IP]

    Remote Access

    • Attempts to brute-force a VNC server:
    nmap --script vnc-brute -p 5900 [IP]
    • Discovers the security layer and encryption level that is supported by a RDP service:
    nmap -p 3389 --script rdp-enum-encryption <ip>

    Network Protocols

    • Attempts to brute-force a POP3 account:
    nmap -sV --script=pop3-brute [IP]
    • Attempts to brute-force a telnet server:
    nmap -p 23 --script telnet-brute --script-args userdb=myusers.lst,passdb=mypwds.lst,telnet-brute.timeout=8s [IP]

    Java

    • Attempts to dump all objects from a remote RMI registry:
    nmap --script rmi-dumpregistry -p 1098 [IP]
    nmap --script rmi-dumpregistry -sV --version-all -p 443 [IP]

    Weak Ciphers & Algorithms

    • Enumerates all web ciphers that a server accepts:
    nmap -sV --script ssl-enum-ciphers -p 443 <host>
    • Finds the number of algorithms the SSH2 server offers (or lists them with verbosity set):
    nmap --script ssh2-enum-algos [IP]

    Certificates

    • Displays the server’s SSL certificate. Set verbosity to add more details:
    nmap --script=ssl-cert -p 443 [IP]

    Http

    • Checks if HTTP TRACE is enabled:
    nmap --script http-trace -d [IP]

  • Cyber Civil Defense: We Can All Fight the Russians

    Most of us here in the US have followed the Russian invasion of Ukraine with a mix of disgust, outrage, and even existential fear. But there is a way to channel these negative feelings into positive actions by making yourself and your company a harder target for hackers, including those affiliated with or supported by the Russian government.

    During World War II, families planted victory gardens to help feed our military here and abroad. As the Cold War brought us to the brink of nuclear conflict, private citizens were called on to be part of a civil defense force to supplement local emergency management personnel. Now, technology has introduced us to a new battlefield in cyberspace. 

    Though cyber war doesn’t offer the horrific imagery of a physical invasion, it is every bit as real, the stakes are incredibly high, and threats are growing more sophisticated. Russia sent its soldiers into Ukraine, but it also has an army of malicious hackers on its payroll and/or under its protection as well. 

    Many of these are coin-operated criminal gangs working with the expressed or implicit approval of Vladimir Putin. They have a track record of targeting his enemies worldwide. The United States has been and will continue to be in their crosshairs. 

    As with generations past, it’s our turn now to recognize we all have a role to play – as private companies and private citizens – in protecting our institutions from attack. Here are some ways to do that immediately.

    For individuals, it’s critical to enable multifactor authentication, create complex passwords and/or use a secure password manager. An old poster from WWII cautioned, “Loose lips might sink ships.” The point was that small pieces of information could be combined by our enemies to paint a clear picture of larger operations. 

    As professional hackers, we often rely on that same principle – piecing together minor vulnerabilities that ultimately enable us to breach networks and exfiltrate data. The key is to make sure you’re not the weak link at home or at work.

    For businesses, now is the time to recognize that cybersecurity is part of your corporate mission, no matter what industry you’re in. If you’re a leader in your organization, be sure to establish regular check-ins with your information security team – if you haven’t already — and heed their advice. 

    This poster, found in bars across the US during WWII, was a reminder that Americans had a duty to protect information:

    Loose lips might sink ships

    The point was that small pieces of information could be combined by our enemies to paint a clear picture of larger operations. As professional hackers, we often rely on that same principle – piecing together minor vulnerabilities that ultimately enable us to breach networks and exfiltrate data. The key is to make sure you’re not the weak link at home or at work.

    Help is also available from the United States Cybersecurity and Infrastructure Security Agency (CISA). Its Shields Up publication offers some excellent recommendations about steps you can take to harden your defenses. Take a few minutes to read and consider these suggestions.

    Remember, too, that Raxis and other companies have veteran cybersecurity experts on their teams whose life’s work is to help protect you from those who would steal from you, hold your data hostage, or disrupt your operations. Now, as always, our certified professionals are ready to help.

    Raxis can perform in-depth penetration tests, conduct red team assessments, test your web applications, or help train your infosec team. But we also offer a number of free resources that are publicly available as well.

    Check out our YouTube channel, follow us on social media, and make sure you subscribe to this blog. We provide a lot of great security information aimed at helping you understand the latest threats and what you can do about them.

    The people of Ukraine are rightfully in our thoughts and prayers at present. It’s unconscionable for one sophisticated, powerful nation to attack and invade its neighbor simply because it can. But we can do much more than fret over what’s happening overseas. We can take action that will make it harder for the Russian government to escalate its cyber war in Europe and here at home.

    This is your chance to join the fight. Make your actions count.

  • Chained Attacks and How a Scan Can Leave You Vulnerable

    The results from your vulnerability scan showed only a couple of low or moderate level findings, but there is no denying that two experienced hackers now have domain admin rights; the freshly printed summary document on your desk spells out in excruciating detail how they traversed the darkest corners of your network and gained access to critical data.

    Fortunately for you, they’re Raxis team members, and you’ve paid them to do just that.

    The Chained Attack

    This scenario plays out frequently for Raxis customers who previously relied on companies that pass off vulnerability scans as faux penetration tests. It highlights why a scan, by itself, can give businesses a false sense of security about their cyber defenses. At their best, scans only point out individual links in what skilled and experienced hackers can turn into a chained attack – using one vulnerability to discover others, increasing or escalating network access with each move. In the case of parameter or business logic exposures, scans often remain blissfully unaware, failing to identify the exposures at all.

    UNFAMILIAR WORD OR TERM? VISIT OUR GLOSSARY.

    We’ll use a real-life example from a recent Red Team engagement to illustrate just how this works. Keep in mind that the following recap is just one way to employ a chained attack. There are many others. In fact, it’s such a common technique that it’s part of the test ethical hackers take to earn the Offensive Security Certified Professional (OSCP) certification. (Read about Senior Penetration Tester Andrew Trexler’s experience with the OSCP exam.)

    The First Link

    Using a response poisoning attack, our testers achieved Man in the Middle (MitM) and relayed Server Message Block (SMB) handshakes to hosts with SMB signing disabled, which allowed them to execute local commands and extract local password hashes stored by the security account manager (SAM). One of those hashes was associated with a local administrator account, and they used it to connect to a system on the internal network.

    Once inside, they exploited a known design flaw in Windows authentication and used this local administrator hash in a Pass-the-Hash (PtH) attack using CrackMapExec (CME). They didn’t even have to crack the hash and get a cleartext password. Just sending the hash was sufficient to allow access.

    Creating the Chain

    Using PtH, our ethical hackers enumerated users logged on to a system, determined valid usernames, and extracted their Kerberos ticket hashes. This time, they did have to crack the hashed ticket for an administrative service account they found. A weak password and robust cracking hardware made this possible within seconds.

    Having identified the cleartext password for that administrator account, they found that it was shared amongst numerous systems. They connected to other systems across the network and found a domain administrator logged into one of them. An attempt to access the Local Security Authority Subsystem Service (lsass.exe) file failed at first because the company’s security blocked “procdump.exe,” the tool we were using to gather a memory dump of the process. However, a second attempt with Process Explorer was successful and allowed our team to download a memory dump of the “lsass.exe” process, giving us access to the runtime state of the service that performs Active Directory database lookups, authentication, and replication.

    Another tool, Mimikatz, enabled our testers to extract the contents of that file, including the reusable NTLM password hash of a Domain Administrator (DA). Again, using CME, they used the NTLM DA password hash to extract the contents of the entire Active Directory database. This is the database housing all Active Directory objects, including users and their password hashes for the entire domain (that often means every employee at a small company or every employee in a division of a large company).

    “Vulnerability scans are excellent point-in-time snapshots of potential problems. But it takes comprehensive penetration testing to demonstrate how easily a malicious hacker can link them together to create a chained attack.”

    Tim Semchenko
    Owning the Network

    Using this DA access, our team created a new backdoor domain administrator account in the Domain Admins group – ample proof for the customer that Raxis had in fact pwned their network.

    What else could they have done? Anything they wanted, including staying on the system indefinitely or just logging in periodically to steal data or disrupt operations. Once a hacker has this type of access, it’s very difficult for a company to know if their access has been truly and completely removed.

    How is this possible? Because a serious security flaw – one that would not be revealed in full by a vulnerability scan – offered our skilled team members an entry way to take down an entire network had they been bad guys.

    The point is that vulnerability scans are excellent at providing a point-in-time snapshot of potential problems on your network. But it takes comprehensive penetration testing to find out just how serious those issues are and to demonstrate how easily a malicious hacker can link them together to create a chained attack.

  • Keep Your Cookies in the Cookie Jar: HttpOnly and Secure Flags

    What are cookies, anyway?

    Cookies are a way to store information across multiple HTTP requests. HTTP is a stateless protocol, meaning each request is completely independent of subsequent requests. Cookies are set by the web server, and then stored in the user’s web browser. Each subsequent request to the domain specified in the cookie will then include the set cookies in the HTTP request headers, so the web server can continue to associate the following requests to that user. Some common use cases for cookies are authentication, analytics IDs, and user preferences.cook

    So, what are cookie flags, then?

    Cookie flags are attributes for a cookie that are set when the cookie is initialized. These attributes live for the duration of the cookie’s lifespan, so it’s important that they are set with secure attributes, especially for important cookies used for maintaining sessions or other sensitive user information. These attributes can quickly be seen by looking at a cookie in the browser, as shown below:

    Example of cookies set with Secure and HttpOnly flags
    HttpOnly Flag

    The HttpOnly flag prevents a cookie from being accessed from protocols other than HTTP. This flag is mostly used so that client-side JavaScript cannot access the cookie.

    Security Impact

    When the HttpOnly flag is not set, client-side JavaScript is able to access and use the cookie. From an attacker’s perspective, it means the cookie is vulnerable to being stolen or used during other client-side attacks, such as in a Cross-Site Scripting (XSS) attack. For example, in our recently discovered XSS Vulnerability in ManageEngine Applications Manager (CVE-2021-31813), cookies were accessed through the inserted JavaScript and reflected back to the screen, as shown below:

    Cookie accessed by inserted JavaScript in XSS vulnerability (CVE-2021-31813)

    In a real scenario, an attacker may send the cookie to themselves instead of reflecting it to the screen. However, if the HttpOnly flags had been set, the malicious JavaScript could not have accessed the application’s cookies in the first place.

    Secure Flag

    The Secure flag prevents a cookie from being sent over HTTP and enforces the cookie to only be sent over HTTPS. This flag is used to prevent attackers from stealing cookies by sniffing unencrypted HTTP traffic. Even though there is a high usage of HTTPS, cookies can still be sniffed on redirects and through other means without the Secure flag. 

    Security Impact

    When the Secure flag is not set, the user’s cookies will be sent over HTTP if a request is made to that website’s HTTP port. Most websites now support HTTPS, but there are still multiple ways for cookies to be sent over HTTP even when the server supports HTTPS. For example, if a website’s web server redirects HTTP requests to use HTTPS, it’s possible the initial web request will have sent cookies that are not using the Secure flag. Similarly, if a user clicks on a link (e.g., from a phishing email) that doesn’t have https:// appended to it, the initial request will send any cookies for that website that are not using the Secure flag. An attacker that is sniffing traffic would then be able to see the cookie’s value in cleartext. The Strict-Transport-Security header can help to mitigate some of this impact, but, to ensure cookies are never sent over an unencrypted channel, the Secure flag should always be used.

  • Hurricane Ida: Limiting the Damage

    As someone who has lived through several hurricanes and worked as a first responder for years, my heart breaks for our neighbors on the Gulf Coast and inland areas who are now assessing the damage from Hurricane Ida. For those who haven’t experienced it, devastation doesn’t begin to describe the aftermath of such a powerful storm.

    While we hope and pray for the people who were in the storm’s path, I want to offer a few tips from the cybersecurity career I’ve pursued since leaving emergency services work 16 years ago:

    • Scammers strike when we’re most vulnerable. Don’t let your guard down now.
    • Be mindful of what you post on social media. Giving too much personal information could lead to identity theft or give a criminal the location of your home you just evacuated. Provide personal information only to valid sources like FEMA, the Red Cross, and your insurance companies.
    • Be on high alert for phishing emails disguised as aid requests. Legitimate rescue personnel (volunteer or professional) will never ask for money. Donate to the Red Cross, Salvation Army, or a local organization you already know and trust.
    • Rely only on reputable sources for critical information. Social media is good for keeping up with friends and relatives, but it’s also full of misinformation and scams. Double-check important news by cross-referencing it on local, state, or federal government pages, or with reliable media. Also, remember that there are a lot of “fake” media pages.
    • If you’re in an area that is hard hit and don’t have cell phone service, turn off your phone. The phone will die more quickly if it’s searching for a cell tower. Turn it on later and see if cell service is restored. If not, turn it back off, and try again later.
    • Likewise, don’t send sensitive information over public WiFi. In the wake of a disaster, it’s all too easy for scammers to intercept traffic and collect passwords, credit card numbers, banking information, and other private data.

    We can’t prevent hurricanes, and it’s likely there will always be scammers and hackers among us. However, a little caution can help us avoid being victims of a man-made disaster at the same time we deal with nature’s worst destruction.

  • Don’t Take the Smishbait

    Unwanted text messages are always annoying, but some can be dangerous. Smishing is a phishing attempt carried out via text and it can be more effective than you might think.

    Smish - A phish via text message

    We’ve all been there — waiting on an important text message, receiving a notification, and opening the phone only to see a message about our car’s warranty expiring.

    Isn’t that just the worst?

    As it turns out, no. Far more damaging are the ones that bring phishing and spear-phishing into the more personal, less-guarded world of SMS texting. You’ve probably heard the portmanteau “smishing” (SMS + phishing) to describe the practice, but you may wonder how and why it works. More importantly, you should know what you can do to make sure it doesn’t happen to you.

    The psychology of smishing

    At its essence, smishing is a form of social engineering that relies on the implied urgency and intimacy of a text message. Whereas most businesses have effective spam and virus filters in place, and we’re reminded often about the dangers of email, text messages often bypass company security. What’s more, they occupy a different place in our minds than standard business communications.

    If email reflects the type of discussion you might have in the conference room, texting is more like banter over drinks after work. In the former, we’re conscious about what we say and what we hear. In the latter, we’re more relaxed and trusting of those around us. And, like other forms of social engineering, that’s what hackers count on when they send a smish.

    Enabling technology

    There are several widely available consumer-grade apps that allow the user to spoof a phone number, display a fake name, and send a message directly to voicemail or text. In the name of privacy, they offer anonymity to the sender, making it extremely hard to trace. Though the phone companies are working to identify and warn users that such messages may be fake, more customizable and concealable apps are available for sale on the dark web.

    As with email, these provide scammers with the ability to deliver malicious phishing links to a broad audience. One click could download malware to your device or take you to a website that will attempt to harvest your credentials. But more troubling is the advanced spear-phishing abilities they provide. We might suspect a direct request for money (or gift certificates) or something obvious. However, consider the image above and ask yourself how many of your employees would immediately comply just to be helpful. If they do, it could render your multi-factor authentication meaningless.

    Protecting yourself and your company

    There are several other ways smishing can put your organization at risk, and there’s only so much technology can do to protect. With that in mind, here are several things you can do to make sure you and your organization don’t become smishing victims.

    • Remember that a legitimate person or company sending you a text message will want you to be wary and check.
    • Even if you recognize the company, think about other texts you’ve received from them. Most pay services, like Venmo and PayPal for example, include “we will never call or email you to request this PIN.” Most banks tell you to login to their site rather than include a URL in the text.
    • Even if the phone number looks correct, remember that numbers and names are easily spoofed. A strong phish may email, text, and call you so that you feel like someone has backed up the claim that it’s legit.
    • A true alert should provide a way for you to take the requested action without using the text. Login to a trusted URL that you have bookmarked. Call the number on the back of your credit card to confirm. Or, reach out in some other way that doesn’t rely on information provided by the same person or company.
    • Messaging apps often provide a way that you can report spam, scams, and phishes. Reporting them helps them block further attacks and makes it harder and more expensive for the hacker to continue.

    The bottom line is that any form of electronic communication is subject to compromise by a determined hacker and there is an ongoing “arms race” between hackers and the experts working to keep us safe. That’s why personal vigilance will always be the most important security measure in our cybersecurity toolkit.

  • 12 New Cyber Terms the World Needs Now

    There ought to be words for these things . . . and now there are. How many examples do you see in your work each day?

    Over the course of hundreds of penetration tests, red team assessments, and incident responses, we’ve encountered situations that left us without words. So, rather than just stand around speechless, we decided to create some new verbiage to fill in the blanks. See if you find any of these appropriate around your office or within your company.

    • Againstigation. uh-gain-stuh-GAY-shun. n. Studying the root causes of a large-scale breach even though the same basic tactics have been used repeatedly and the underlying problems remain.
    • Backoops. BACK-oopz. n. The act of deploying a secure backup solution after sensitive company data has been encrypted by ransomware.
    • Breacher’s pet. BREE-churz-pet. n. Anyone who leaves helpful notes with usernames and passwords on sticky notes attached to their monitor.
    • Chivalregret. SHIV-ul-ree-gret. n. The realization that a person for whom you’ve politely opened a door was actually a hacker who has now owned your network.
    • Clickmate. KLIK-mate. n. The moment when a hacker realizes a phishing campaign has captured the credentials of a network administrator.
    • Cyberchosis. si-bur-KO-sus. n. Delusional state that causes business owners to imagine they live in a world where hackers only attack other companies.
    • Duhpgrades. DUP-gradez. n. A series of long-overlooked and time-consuming upgrades that must be completed before a critical software patch can be installed.
    • Homepwnrship. HOME-PONE-er-ship. n. Taking over a corporate network by first hacking a remote worker who fails to follow proper security protocols.
    • Pastword. PAST-werd. n. 1) A password in use on multiple sites. 2) Any password that remains in use after a site where it is used has been hacked.
    • Pen-guesting. PIN-guess-ting. v. Using visitor login information to access sensitive data improperly secured on a company network.
    • Premiscuity. pri-miss-KEW-e-tee. n. Allowing an unknown person or persons into secure areas of a facility.
    • Ransomdare. RAN-sum-dair. v. To passively invite a cyberattack by refusing to provide cybersecurity training, allowing poor password hygiene, and failing to employ secure backup.

    Do you have any terms you’d like to add to our list? If so, visit us on Facebook, LinkedIn, Twitter, or Instagram and leave us a message. Better yet, share this post and bring your friends in on the fun.

    If you’d like to learn about cybersecurity terms we didn’t just make up, visit our glossary.

  • Realistically Assessing the Threat of Clickjacking Today

    Clickjacking is an easily preventable but sometimes difficult to understand vulnerability. In this article, we’re going to talk about the different ways this vulnerability can be exploited, the associated risk, and how to defend yourself against these types of attacks.

    Let’s start with an explanation of how this attack works.

    What is Clickjacking?

    At its core, clickjacking is an attack that is made possible when the web application does not implement the proper protections against embedding its pages in an iframe. An attacker leverages this behavior to “hijack” a user’s click and trick them into executing an action in their account.

    I’ve set up an instance of bWAPP, an intentionally vulnerable web application by ITSec Games, that will allow us to look at a clickjacking attack in practice. Our vulnerable web application is running at “bwapp.raxis.local,” and you’ll see this reflected in the screenshots and sample code below.

    Finding a Target

    The first thing we’ll need to do is find a page we can target. When looking for a page that might be vulnerable to clickjacking, it should allow for an action that meets three criteria:

    • It can be executed in a single click (or very few);
    • It affects a logged in user; and
    • It could have an undesirable effect on the user or the organization.

    It looks like our vulnerable web application has a page that meets all three criteria:

    A buggy app

    This page allows authenticated users to purchase movie tickets in a single click with a default of 10 tickets. No confirmation is required, and without manipulating the forms on this page, this will result in an unwanted purchase of €150 worth of movie tickets.

    This behavior might seem unlikely to exist in the wild, but there are many different types of susceptible pages, from order confirmations like this to functionalities allowing a user to delete entire databases. Some of these susceptible pages may even incorporate parameters in the URL, which can be passed by an attacker. For example, an application might use a URL like the one below to create an order confirmation page dynamically:

    http://example.com/order/confirm?product=jetski&quantity=10&payment=saved
    Checking for Clickjacking Protections

    Now that we have our target page, let’s look at how to use it in an attack.

    The first thing we need to determine is whether the target page can be embedded in an iframe. While there are several methods of doing this, the easiest and most reliable by far is to try to embed a target page into an iframe on an attacker-controlled web page and see if it works. Let’s code up the web page now.

    Code to test if the target page can be embedded in an iframe

    As we can see, there’s nothing very complex to this code. It’s a barebones HTML file, which includes an iframe referencing the page we want to embed. Let’s open up our HTML file in our browser and see if this works.

    Webpage can be embedded in an iframe

    The web page loads into the iframe without issue. We can also see that, since we were already logged in to bWAPP, our session carried over.

    Executing the Attack

    Now that we have a good idea that the page is vulnerable, all we have left to do is code up a page designed to trick the user into clicking the Confirm button and convince the user into visiting to our malicious page.

    To build this malicious page, we’re going to construct an enticing user interface:

    The clickjacking user interface

    Then, we’ll stick the iframe on top and align the Confirm button with the View button. I’ve made the iframe partially transparent in the screenshot below so you can see the multiple layers.

    Webpage showing both the embedded page and the iframe page partially transparent

    And finally, we’ll make the iframe completely transparent so that the user doesn’t even know that it’s there.

    Completely transparent iframe with invisible embedded clickjacked website

    Now, when the user clicks the view button, they’ll actually be clicking the invisible Confirm button and purchasing 10 movie tickets, provided they’re logged in to their account.

    Partially transparent clickjacked page showing that a click on the submit button will confirm a purchase on the embedded site.

    Mission accomplished.

    Here is the code that I threw together quickly for the purposes of this demo:

    Clickjacking code

    Perhaps the trickiest part of this attack is coming up with a method that will get users to go to our malicious page. An attacker might:

    • Post a link to the malicious page in social media
    • Email a malicious link to a user or group of users
    • Embed a link in a QR code
    • Attach the malicious HTML file to an email
    • Leverage another vulnerability such as cross-site scripting (XSS) or open redirection
    When Clickjacking isn’t Clickjacking

    Let’s look at a different style of attack that’s popular among some penetration testers. This attack embeds a login page and places input elements on top of the login fields:

    Outdated clickjacking PoC

    The overlaid fields are shown in blue for this article but would normally be completely invisible to the user. When a user fills out this form and submits it, the login request is instead sent to an attacker-controlled server, giving the attacker access to the user’s unencrypted credentials. You can read more about this style of attack here.

    But is this type of attack really considered clickjacking? It involves an embedded iframe and overlays, but it is drastically different from our previous example. To determine this, let’s put ourselves into the mindset of an attacker.

    As an attacker, our goal here is to capture as many credentials as reliably as possible while evading detection. There are at least two approaches we can take:

    • Embed the target login page in a malicious HTML page as shown in the proof of concept, or
    • Clone the HTML code of the login page and modify the form to send to a malicious server

    These approaches are very similar. Both require hosting the page on a malicious web server, both require misleading the user into visiting a malicious link, and both redirect user input to a malicious server. Both approaches even run the same risk of the malicious web server being reported, blocked, or shut down.

    However, when embedding the login page, there are additional factors that the attacker must consider:

    • The target login page may already have clickjacking protections in place;
    • The target login page could be altered, breaking the malicious page;
    • The target login page could implement clickjacking protections, breaking the malicious page;
    • The target login page cannot be easily modified by the attacker;
    • It’s possible for the target page to determine and report the URL of the malicious page; and
    • The malicious page may not look or function correctly if the window is resized

    When considering the large number of downsides of using an iframe and overlay elements to conduct this attack, it is extremely unlikely that an attacker would attempt to execute it through clickjacking. Far more likely is that an attacker would simply clone the login page using a myriad of freely available tools designed to do exactly this.

    Implementing protections against clickjacking would not stop this attack from occurring. Instead, the attacker would simply clone or recreate the page, which cannot be prevented. The proof of concept itself is also a stretch from the commonly agreed upon definition of clickjacking. For these reasons, Raxis in most cases no longer considers this type of attack to be clickjacking. Instead, we label this as a misconfigured security-related header, which continues to inform the customer of the small but perceptible risk, without blowing what’s essentially a non-exploitable vulnerability out of proportion.

    Protecting Against Clickjacking

    Despite the complex nature of a clickjacking attack and its reliance on phishing, developers should still take a layered approach to protecting their applications from this type of attack. This can be done by properly configuring two response headers and by properly setting flags on cookies.

    Content-Security-Policy

    For the uninitiated, Content-Security-Policy is a highly versatile header which can offer a large amount of protection to the end user when configured properly. You can generate one at https://report-uri.com/home/generate, and verify your existing one at https://csp-evaluator.withgoogle.com/.

    To prevent pages from being embedded in iframes, we can use the frame-ancestors directive. Here’s a few ways this can be properly implemented:

    • Content-Security-Policy: frame-ancestors ‘none’ – Prohibits the page from being embedded anywhere
    • Content-Security-Policy: frame-ancestors ‘self’ – Allows the page to be embedded on the same domain only (exclusive of subdomains)
    • Content-Security-Policy: frame-ancestors https://*.raxis.local https://raxis.local – Allows the page to be embedded on raxis.local and any of its subdomains
    X-Frame-Options

    X-Frame-Options used to be the primary line of defense against iframe embedding but has since been made obsolete by the frame-ancestors directive. Unless, of course, your users are using any version of Internet Explorer. To cover all our bases and take off this 1.1% of users, we need to add this header for legacy purposes. Configure this header in one of the following ways:

    • X-Frame-Options: DENY – Prevent the page from being embedded anywhere
    • X-Frame-Options: SAMEORIGIN – Allow the page to be embedded on the same domain only
    Cookie Attribute – SameSite

    A relatively new cookie attribute, SameSite, can also help protect against clickjacking by restricting the conditions in which cookies (such as a session token or JWT) are sent by the browser.

    As of mid-2020, SameSite is set to Lax by default when the attribute is not set in Set-Cookie. This value prevents cookies from being sent in iframes, which essentially breaks any clickjacking attack that relies on the user being logged in.

    To use the SameSite attribute as an additional layer of protection against clickjacking, configure the SameSite attribute on your session-related cookies to one of the following values:

    • SameSite=Strict – No cross-site cookies, ever
    • SameSite=Lax – Cross-site cookies only when the user is navigating to the original site

    Since Lax is the default, you can leave this value unconfigured, but it’s a best practice to explicitly configure it as one of the above values, both from a documentation and security standpoint.

    You can read more about the SameSite attribute at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite.

    Side Note: Setting SameSite to Strict or Lax also helps defend against cross-site request forgery (CSRF) attacks.

  • Cross-Site Scripting Vulnerability in ManageEngine AD Self Service Plus (CVE-2021-27956)

    I’m Matt Dunn, lead penetration tester at Raxis.This is a summary of the first stored cross-site scripting vulnerability I discovered while testing several Zoho-owned ManageEngine products. This vulnerability exists in the AD Self Service Plus Version 6.1.

    Summary

    Recently I discovered a stored cross-site scripting (XSS) vulnerability in the Zoho-owned ManageEngine AD Self Service Plus for Version 6.1 (CVE-2021-27956). The vulnerability exists in the email field of search results on the page: /webclient/index.html#/directory-search. After searching for a user, if the “More” tab is clicked, the email field is loaded with unescaped content, allowing for malicious JavaScript to be reflected back to users.

    Proof of Concept

    The vulnerability can be triggered by inserting HTML content, in this case script tags, into the email field of an Active Directory user. The following was inserted as a proof of concept to reflect the user’s cookie in an alert box:

    <script>alert(document.cookie)</script>

    An example of this on one such user is shown here:

    Stored XSS Payload

    After searching for that user, the HTML is then presented unescaped on the web page, which allows the script tags to be loaded as valid JavaScript. The unescaped HTML as loaded is shown here:

    Unescaped JavaScript Tags

    After loading the search page, clicking the “More” tab triggers the vulnerability, which is shown in Figure 3:

    XSS Payload Executed
    Affected Versions

    Raxis discovered this vulnerability on ManageEngine AD Self Service Plus 6.1, build 6100.

    Remediation

    Upgrade ManageEngine AD Self Service Plus to Build Version 6104 immediately. The ServicePack can be found here with release notes here.

    Disclosure Timeline
    • February 19, 2021 Vulnerability reported to Zoho
    • February 19, 2021 Zoho begins investigation into report
    • March 5, 2021 CVE-2021-27956 assigned to this vulnerability
    • May 8, 2021 Zoho releases patch for this vulnerability

    CVE Links

  • LDAP Passback and Why We Harp on Passwords

    Hackers are like anyone else in that they would rather work smarter, not harder – picking the low-hanging fruit first. Oftentimes, we find companies who put it in front of them without even knowing it.

    In today’s video, I demonstrate how to conduct a Lightweight Directory Access Protocol (LDAP) passback attack, essentially using third-party hardware or software as an access point to a company network. I’ll show you three different ways to conduct the attack and offer some helpful tips on how to defend against it. 

    What I believe is important to add here is the common thread that links all of them: access to a password. If you want to know why our discussions seem to always circle back to that concept, it’s because an improperly protected password is a master key for hackers, whether their hats are white or black. 

    One is usually all we need to get inside your network. From there, the possibilities are limited only by our imaginations (and our scope of work). As I discuss at the outset of the video, too many of our customers make it easy by leaving devices like printers set to their default passwords or even null passwords, meaning they never created a password to begin with.

    Once we control the device, capturing legitimate passwords is easy. The Raxis team has conducted several internal network tests where discovering an admin interface with default or null credentials got us full domain admin access to the network. In one case, a vendor told the company that the default password was okay to use for a few weeks until things were all set up. On another, we found a password file on a sensitive file share that was set up without a password while the IT staff moved it to a new server. And still another company had no clue a system had a default password. They said it had always been that way. 

    LDAP passback attacks can be prevented, but it takes companies implementing robust security protocols for everything with an IP address on your network – including printers and other devices. 

    Remember, if it’s connected, it must be protected. 

    Make sure all your devices are locked down with a strong password — no matter how innocuous the device may seem. It’s a hacker’s job to find their way in. It’s Raxis’ job to identify these vulnerabilities so that you can correct them before that happens. 

    Our team of experts are ready to help you and your organization find its weaknesses and help you strengthen your security. Talk with our team today.

  • A High-Tech Take on an Old-Time Scam

    “There’s not much chance your customers are going to search for you and land on an Albanian copycat site.”

    Raxis VP of Engineering, Brian Tant

    If you get an email warning you that another (usually overseas) company is vying for your brand’s domain name with various country extensions – cn, .hk, .af, etc. – be assured it’s not someone aiming to help. Instead, they’re most likely scammers trying to convince you to send them money in order to secure your hold on yourbrand.nz before some evil corporation in Uzbekistan snatches it right out from under you.

    As you might expect, people do fall for it and spend hundreds and even thousands of dollars only to discover that a) there is an exhaustive list of domain extensions out there and b) the people they’ve paid won’t really secure any of them. Fortunately, that last part is mostly a nonissue. 

    The truth is, very few US-based companies have a need to own foreign domain extensions unless they have a physical presence in the country. Even then, it may not be necessary unless a competing brand is actively trying to damage your business, in which case most countries have laws in place to prevent such malicious activity.

    Search engines are sophisticated enough now to distinguish between legitimate, established domains and pop-up imitators, so there’s not much chance your customers are going to search for you and land on an Albanian copycat site. 

    Still, the emails can sound very convincing, and, believe it or not, they are really a modern update to a scam that flourished in the late ‘90s and early 2000s. That one involved the Yellow Pages and was made possible because AT&T never trademarked the name or the iconic walking fingers logo. 

    Here’s how it worked: Just days after a new company incorporated or applied for its licenses, an official-looking invoice would arrive from The Yellow Pages. No business wanted to be left out or forced to wait a year to be included, so many quickly filled out their information and sent a check. 

    Weeks later, unfortunate business owners would get another Yellow Pages invoice, this time the local version – the one people actually used. When they called the phone company to complain, they would learn that their first checks had gone to a group that published a perfectly useless national version of the yellow pages. It listed only those businesses that had fallen for the scam and was distributed only to them.

    Word about the faux yellow pages eventually got around and made it much harder to sell. We can only hope the same will be true of the domain name scam. Of course, the great irony here is that the internet has all but made the yellow pages irrelevant to modern businesses. At the same time, it has made possible a high-tech, international version of its most annoying racket