BackTrack Linux

BackTrack is the most top rated linux live distribution focused on penetration testing. With no installation whatsoever, the analysis platform is started directly from the CD-Rom and is fully accessible within minutes.

It's evolved from the merge of the two wide spread distributions - Whax and Auditor Security Collection. By joining forces and replacing these distributions, BackTrack has gained massive popularity and was voted in 2006 as the #1 Security Live Distribution by insecure.org. Security professionals as well as new-comers are using BackTrack as their favorite toolset all over the globe.

BackTrack has a long history and was based on many different linux distributions until it is now based on a Slackware linux distribution and the corresponding live-CD scripts by Tomas M. (www.slax.org) . Every package, kernel configuration and script is optimized to be used by security penetration testers. Patches and automation have been added, applied or developed to provide a neat and ready-to-go environment.

After coming into a stable development procedure during the last releases and consolidating feedbacks and addition, the team was focused to support more and newer hardware as well as provide more flexibility and modularity by restructuring the build and maintenance processes. With the current version, most applications are built as individual modules which help to speed up the maintenance releases and fixes.

Because Metasploit is one of the key tools for most analysts it is tightly integrated into BackTrack and both projects collaborate together to always provide an on-the-edge implementation of Metasploit within the BackTrack CD-Rom images or the upcoming remote-exploit.org distributed and maintained virtualization images (like VMWare images appliances).

Being superior while staying easy to use is key to a good security live cd. We took things a step further and aligned BackTrack to penetration testing methodologies and assessment frameworks (ISSAF and OSSTMM). This will help our professional users during their daily reporting nightmares.

Currently BackTrack consists of more than 300 different up-to-date tools which are logically structured according to the work flow of security professionals. This structure allows even newcomers to find the related tools to a certain task to be accomplished. New technologies and testing techniques are merged into BackTrack as soon as possible to keep it up-to-date.

Execute Disable Bit

The challenge

Malicious buffer overflow attacks pose a significant security threat to businesses, increasing IT resource demands, and in some cases destroying digital assets. In a typical attack, a malicious worm creates a flood of code that overwhelms the processor, allowing the worm to propagate itself to the network, and to other computers. These attacks cost businesses precious productivity time, which can equal significant financial loss.

The solution

Intel's Execute Disable Bit¹ functionality can help prevent certain classes of malicious buffer overflow attacks when combined with a supporting operating system.

Execute Disable Bit allows the processor to classify areas in memory by where application code can execute and where it cannot. When a malicious worm attempts to insert code in the buffer, the processor disables code execution, preventing damage and worm propagation.

Replacing older computers with Execute Disable Bit-enabled systems can halt worm attacks, reducing the need for virus-related repairs. In addition, Execute Disable Bit may eliminate the need for software patches aimed at buffer overflow attacks. By combining Execute Disable Bit with anti-virus, firewall, spyware removal, e-mail filtering software, and other network security measures, IT managers can free IT resources for other initiatives.

Passwords and More Authentication Fun

Often, while my students are working on a lab, I’ll take this time to search for more class demos. It seems that many of the demos we discuss in class soon get fixed. I’m not sure how or why, but this is often the case. Parameter manipulation — they’re all fixed within a few weeks of discussing them in class. The list goes on, but this is so frequent that I stopped tracking them. Regardless of the reasons, these vulnerabilities get fixed, and I’m glad they do. And I really don’t mind doing some basic research into finding more. So here’s today’s example, as it applies to password policy and authentication fun.

I’ll start off by listing some common authentication-related vulnerabilities I often see and then discuss some error messages I recently found on a popular travel site. I’ll also add some “malicious” ideas, just for fun–to get you thinking.

Common authentication-related vulnerabilities:

• Password policy is weak
• Password policy is strong, but not enforced
• No account lock out (or worse, account lockout tracked at the client side)
• Login error messages let me know whether the username is valid
• Password hints!

Related error messages from a recent find at a travel site:

• “A password must be 5-12 characters long and have no spaces.”–when registering an account.
• “The e-mail and password you have entered do not match. Please try again.”–when attempting to log in with an invalid username or password.
• “That e-mail address is not on file. Please try again.”–when attempting to display the password hint for an invalid account.
• Note: the password hint is happily displayed if you enter a valid username.

Some initial thoughts

• How easy is it to harvest emails or buy a few million email addresses?
• Could a quick script cycle through a list of email addresses and capture password hints?
• How difficult would it be to guess a few password hints based on several hundred or thousand captured password hints?
• This site allows you to save a credit card on file and use it to book travel/hotels/more without verifying anything.
• I wonder if I could book travel on someone else’s account without them knowing. All I need to do is suppress the email confirmation or point their registered email to a different one. By the time the con has been exposed, the postcards I sent from Mexico will have been received.

Do you see where this is going? The main culprit wasn’t the password policy itself. If I had to write the equation, it would look a lot like this (seriously):

Mediocre password policy + password hints + stored credit card info + having a lot of users + nongeneric error messages + not verifying anything on checkout = free trip to Mexico.

Now, let’s go cliff diving in Acapulco!

Microsoft Internet Information Services Vulnerability Gives Complete Server Control

Microsoft has confirmed a vulnerability in its Internet Information Services webserver and spelled out the conditions under which it can be exploited to give an attacker complete control of the server on which it runs.

Remote execution of malicious code can be triggered only in limited cases, and even then, it’s relatively easy to change settings that close that possibility. Even then, exploits can still touch off denial-of-service attacks that completely shut down file transfer protocol.

Proof-of-concept code exploiting the vulnerability was released Monday. Microsoft said it will release a fix as soon as it’s ready.

The vulnerability can be exploited only if IIS is configured to allow FTP and untrusted users have the ability to create their own directories. Users of IIS on Windows 2000 and Windows Small Business Server 2003 face the biggest threat because FTP is enabled by default, but even then, users aren’t given write access unless settings have been changed.

In that case, or in cases where users of version 5.1 have turned on FTP and write access, attackers can gain complete control over servers by listing directories with specially manipulated names that trigger a buffer overflow in the application.

Users of IIS6 also face the possibility of DoS attacks, but because the application was built using a compiler setting that automatically terminates applications that have been attacked, remote execution is a much more remote possibility, Microsoft said. IIS7, because it runs on the more secure Vista and Server 2008 versions of Windows, is not vulnerable.

For those at risk, Microsoft recommends the following workarounds until a patch is released:

Turn off FTP if it’s not needed

Disable the creation of new directories

Disable the ability for anonymous users to write using IIS settings

Microsoft said its working with providers of intrusion prevention systems so they can identify attacks. Meanwhile, admins can detect attacks by reviewing log files.