In one of our previous posts, we noted that a popular tool – Responder – uses Basic Authentication prompts to harvest user credentials when they accidentally enter invalid domains in web browsers.
Responder’s approach is pretty good and it does some “magic” to catch and respond to DNS requests for in-existing domais, however I think that there is way more potential in using Basic Authentication for phishing purposes.
What I like (or dislike) most about basic authentication is that it is NEVER clear who is asking for your credentials and where they will end up. This type of confusion often tricks users into falling for simple phishing tricks, allowing attackers to easily gather user credentials.
There are a good number of situations when we find ourselves abusing the LLMNR and NBT-NS protocols on an infrastructure penetration test, more specifically on an Active Directory setup. These 2 protocols are enabled by default on most of the Windows operating systems. What are they doing is they facilitate the communication between network machines when searching for a DNS hostname regardless if it’s a share, a server or a web hostname.
The overview picture of the attack vector:
- the victim is looking for a non-existing hostname
- the DNS server cannot resolve the request
- we reply and resolve the hostname resolution query
- we ask the victim for authentication
In a recent penetration testing project we encountered a situation where in order to prove exploitability and possible damage we had to exfiltrate data from an isolated server using an OS command injection time based attack.
The scope of the project was an API. During the testing process we identified an interesting GET request that received 2 parameters: the first a string and the other one ID number.
By fuzzing the string parameter, at first, it looked like we had a potential SQL injection, based on the way it handled single quotes. Trying this attack vector didn’t seem successful, but when we sent the ` sleep 10` command and the HTTP response returned 10 seconds later, we knew we had something. Our first thought was that this was game over for the application, we managed to get a Remote Code Execution on the API server.
There are various cases when during an IT/ security assurance projects there are specific requirements to rely on penetration testing projects/ reports completed by a third party.
However, not always, the IT security auditors have the necessary information to assess the quality of the penetration testing projects (focusing on planning, projects delivery and reporting).
And I address here the IT security assurance projects having in scope IT systems and finalizing with an Independent Auditor Report (IT Audit Opinion) and not audits focused on processes (like ISO audits) or on specific IT controls relevant for specific objectives (like ISAE 3402 IT/ Security assurance projects).
IT/ Security auditing standards
In order to have a consistent and objective assessment of third party reports, an IT security auditor must refer to the auditing standards he is using for performing his engagement.
And if we consider the IT audit standards available on the market, we must look at ISACA framework. There are also other standards applicable to various industries or specific objectives, focused on management systems, like ISO standards, but ISACA’s are the only ones of general nature which can be used cross-platforms, industries, etc. And as support for this, I performed some quick Internet searches and found mostly the same views.
For example, in one of its papers, NIST recognizes the entities enumerated below as addressing the IT auditing within their standards, further states that all of them taken essentially the same position concerning audits involving information systems and continues focusing on ISACA’s CobIT.
- The American Institute of Certified Public Accountants (AICPA) in several Statements on Auditing Standards (SASs);
- Institute of Internal Auditors Association (IIA) in its Standards for the Professional Practice of Internal Auditing;
- Information Systems Audit and Control Association (ISACA) in its “ITAF™: A Professional Practices Framework for IS Audit/Assurance”
- S. General Accounting Office (GAO) in its Government Auditing Standards and Title 2, Accounting.
Probably you’re here because you’re interested in obtaining the OSCP certification. Smart decision, good for you! Or maybe you are interested in obtaining a certification in info-sec, but you are still looking for the right one? Even if you are just looking for a way to boost your technical skills, you may be interested in becoming an Offensive Security Certified Professional.
I recently went through the course (Penetration testing with Kali Linux) and certification exam, so here is some of my experience and a few thoughts, you might find them useful.
There is no secret that in order to obtain this certification, you need to dedicate a great amount of time and ambition and I completely agree with this.
Also, rumour has it that you already need to have Godlike skills in everything there is to know, or else you won’t understand the materials. I can honestly say that the rumours aren’t true. A strong background in info-sec is preferred, however the course materials are very well explained, there are plenty resources for learning your way through this course, all you need is the determination to try harder and read more, until you fill all knowledge gaps that might appear.