We have decided to make public a video that we have used on several talks in the past, demonstrating a network attack against a PC, performed via GPRS/EDGE (which is the important point here), using a fake GSM/GPRS/EDGE base station. The video is available for online viewing at our YouTube channel (direct link here), and for direct download, at our lab.
The point of the video is to show that GPRS/EDGE communications are as easy to intercept, manipulate, and take advantage of, as GSM (voice and SMS) communications, using a fake GSM/GPRS/EDGE base station.
In the past, we have explained the underlying GSM/GPRS/EDGE vulnerabilities and shown this kind of attack, live. If you are interested in this details, check out "A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications" (English) and "Un ataque práctico contra comunicaciones móviles" (Spanish).
With the publication of this video we hope to contribute in creating awareness of this problem, and help organizations realize it is necessary to take into account these weaknesses when performing a risk assessment.
The example shown in the video is a victim PC, running XP SP3 with a version of Java Runtime Environment (JRE) prior to version 6 update 24. The victim connects to the Internet using a 3G/2G modem, getting EDGE service from a rogue base station that the attacker has set up using the open source suite OpenBSC+OsmoSGSN+OpenGGSN+LCR.
The attacker then injects HTML content in the HTTP traffic of the victim, redirecting his browser to the Metasploit exploit "java_codebase_trust". This allows him to get a Meterpreter session in the victim PC, giving him full control over the victim PC.
To demonstrate the control over the victim's PC, the attacker obtains a screenshot of the victim PC. Then, the attacker scrolls up and down through the list of available commands offered by Meterpreter, and the video ends when the attacker invokes a shell (cmd.exe) of the victim PC.
The point of the video is not that this particular java vulnerability, which is quite old, can be exploited by an attacker. The point is that any remote vulnerability that you might have in your systems, either well known or zero day, could be exploited by an attacker using a fake GSM/GPRS/EDGE base station, if you use such communication.
If you want to avoid this path of attack, make sure all of your mobile devices use 3G (UMTS) and (and this is critical) do not accept 2G service (GSM/GPRS/EDGE) under any circumstances, and/or protect all of your network traffic at a higher level.
Wednesday, November 7, 2012
Monday, September 17, 2012
SamuraiWTF 2.0 SVN Repository & Bug Tracker
With the recent release of SamuraiWTF 2.0 we have introduced significant changes to the official SamuraiWTF SVN repository, available at
http://svn.code.sf.net/p/samurai/code/trunk/ (check the new SourceForge.net project code section). This repository was mainly used in the past by the development team, thus these changes try to open up the repository to any user interested on updating the latest official SamuraiWTF version available from the project downloads section. As part of all these 2.0 related changes, we have also migrated the project to the new SourceForge.net (SF.net) platform, so the project web page look & feel and layout have changed, as well as some project's links (all the links in this post point to the new platform).
The idea is to use the SVN repository to provide fixes for known bugs between major SamuraiWTF releases, as well as updates for new features and tools (in future SVN revisions). Therefore, the current SVN repository contents include fixes for a few well known bugs associated to the SamuraiWTF 2.0 version in the form of individual bash scripts. These fixes will be included in the next SamuraiWTF version, 2.1, but meanwhile you can apply them to your private SamuraiWTF 2.0 instance.
The SVN repository contains a main script to apply all the available fixes ("fix.sh"), and a "fixes" directory. The "fixes" directory contains two types of scripts, those starting with "fix_" and a number, which corresponds to the ID associated to the bug the script fixes from the official SamuraiWTF bug tracker (eg. 25, after the migration), plus a descriptive text at the end of the filename, and those without a number, as the fix applies to a bug that has not been reported through the bug tracker.
In order to apply all the available fixes you simply need to follow these steps:
1. Start with a clean SamuraiWTF 2.0 instance (Live DVD or VM; take a look at the previous blog posts explaining how to create a SamuraiWTF 2.0 virtual machine in VMware Fusion, Workstation, and Player).
2. Perform an initial checkout to retrieve the current SVN trunk contents from the official SamuraiWTF repository:
$ svn co http://svn.code.sf.net/p/samurai/code/trunk samurai
3. Step into the new local SVN copy and run the "fix.sh" script using sudo:
$ cd samurai
$ sudo ./fix.sh
The following screenshot shows the initial SVN process:
The main "fix.sh" script keeps a log of the fixes already applied, with the idea of avoiding applying the same fix every time the "fix.sh" script is executed. Thus, you can periodically update your local SVN copy ("svn up") with the most recent SVN contents and fixes, and run the script again:
$ cd samurai
$ svn up
$ sudo ./fix.sh
The following screenshot shows the SVN update process:
As new bugs are discovered and reported in the official SamuraiWTF bug tracker (please use the "v2.0" group to report all SamuraiWTF 2.0 issues), the plan is to create fix scripts for them and add those to the SVN repository. Bugs (or tickets) will remain in the "open" status till we find a solution for them, and once we have a fix script ready, they will be moved to the "pending" status till they are implemented on the next release, such as 2.1.
Additionally, in a near future we plan to add to SVN a similar "update.sh" script, plus the corresponding "updates" directory, to be able to provide updates for other SamuraiWTF features and tools (that you can request and report via the official SamuraiWTF feature requests tracker). When adding new feature requests use the "Next Release" milestone so that we can evaluate what release it will be added to.
We encourage you to use SamuraiWTF 2.0, apply the fixes from the SVN repository, and help us by reporting bugs and solutions to the mailing-list, and more importantly, though the bug tracker and feature requests tracker. In order to create new bug and feature requests tickets you need to authenticate in the SF.net platform.
An interesting conclusion from the weekly stats download count: Although the SamuraiWTF 2.0 ISO image has been downloaded 1,169 times, the corresponding MD5 file has been downloaded only 19 times. It seems that less than 2% of users check the ISO image MD5 hash (...unless you know it from the top of your head) :o)
Appendix: SVN SamuraiWTF Commands
With the recent project migration to the new SourceForge.net platform it is possible to perform a checkout of the SVN contents using SVN or HTTP (both unencrypted):
$ svn co svn://svn.code.sf.net/p/samurai/code/trunk samurai
$ svn co http://svn.code.sf.net/p/samurai/code/trunk samurai
Unfortunately, there is no encrypted alternative to checkout the SVN contents anonymously, as there was in the past (the command below, based on HTTPS, doesn't work anymore and requests user credentials):
$ svn co https://svn.code.sf.net/p/samurai/code/trunk samurai
However, the encrypted option that still works (I don't know for how long it will be available...) is the one that retrieves the contents from the old SVN repository via HTTPS (I recommend you NOT to use it - I included it here just for documentation purposes):
$ svn co https://samurai.svn.sourceforge.net/svnroot/samurai/trunk/ samurai
Additionally, as a project developer, it is possible to get encrypted and authenticated read-write (RW) SVN checkout access via SVN+SSH (replace USER with your SF.net username; check all these new options in the project code section):
$ svn checkout --username=USER svn+ssh://USER@svn.code.sf.net/p/samurai/code/trunk samurai
The idea is to use the SVN repository to provide fixes for known bugs between major SamuraiWTF releases, as well as updates for new features and tools (in future SVN revisions). Therefore, the current SVN repository contents include fixes for a few well known bugs associated to the SamuraiWTF 2.0 version in the form of individual bash scripts. These fixes will be included in the next SamuraiWTF version, 2.1, but meanwhile you can apply them to your private SamuraiWTF 2.0 instance.
The SVN repository contains a main script to apply all the available fixes ("fix.sh"), and a "fixes" directory. The "fixes" directory contains two types of scripts, those starting with "fix_" and a number, which corresponds to the ID associated to the bug the script fixes from the official SamuraiWTF bug tracker (eg. 25, after the migration), plus a descriptive text at the end of the filename, and those without a number, as the fix applies to a bug that has not been reported through the bug tracker.
In order to apply all the available fixes you simply need to follow these steps:
1. Start with a clean SamuraiWTF 2.0 instance (Live DVD or VM; take a look at the previous blog posts explaining how to create a SamuraiWTF 2.0 virtual machine in VMware Fusion, Workstation, and Player).
2. Perform an initial checkout to retrieve the current SVN trunk contents from the official SamuraiWTF repository:
$ svn co http://svn.code.sf.net/p/samurai/code/trunk samurai
3. Step into the new local SVN copy and run the "fix.sh" script using sudo:
$ cd samurai
$ sudo ./fix.sh
The following screenshot shows the initial SVN process:
$ cd samurai
$ svn up
$ sudo ./fix.sh
The following screenshot shows the SVN update process:
Additionally, in a near future we plan to add to SVN a similar "update.sh" script, plus the corresponding "updates" directory, to be able to provide updates for other SamuraiWTF features and tools (that you can request and report via the official SamuraiWTF feature requests tracker). When adding new feature requests use the "Next Release" milestone so that we can evaluate what release it will be added to.
We encourage you to use SamuraiWTF 2.0, apply the fixes from the SVN repository, and help us by reporting bugs and solutions to the mailing-list, and more importantly, though the bug tracker and feature requests tracker. In order to create new bug and feature requests tickets you need to authenticate in the SF.net platform.
An interesting conclusion from the weekly stats download count: Although the SamuraiWTF 2.0 ISO image has been downloaded 1,169 times, the corresponding MD5 file has been downloaded only 19 times. It seems that less than 2% of users check the ISO image MD5 hash (...unless you know it from the top of your head) :o)
Appendix: SVN SamuraiWTF Commands
With the recent project migration to the new SourceForge.net platform it is possible to perform a checkout of the SVN contents using SVN or HTTP (both unencrypted):
$ svn co svn://svn.code.sf.net/p/samurai/code/trunk samurai
$ svn co http://svn.code.sf.net/p/samurai/code/trunk samurai
Unfortunately, there is no encrypted alternative to checkout the SVN contents anonymously, as there was in the past (the command below, based on HTTPS, doesn't work anymore and requests user credentials):
$ svn co https://svn.code.sf.net/p/samurai/code/trunk samurai
However, the encrypted option that still works (I don't know for how long it will be available...) is the one that retrieves the contents from the old SVN repository via HTTPS (I recommend you NOT to use it - I included it here just for documentation purposes):
$ svn co https://samurai.svn.sourceforge.net/svnroot/samurai/trunk/ samurai
Additionally, as a project developer, it is possible to get encrypted and authenticated read-write (RW) SVN checkout access via SVN+SSH (replace USER with your SF.net username; check all these new options in the project code section):
$ svn checkout --username=USER svn+ssh://USER@svn.code.sf.net/p/samurai/code/trunk samurai
Friday, September 14, 2012
How to Create a SamuraiWTF 2.0 Virtual Machine in VMware Player
The SamuraiWTF (Web Testing Framework) can be run as a live CD/DVD, although when performing web application penetration tests, I like to run it inside a virtual machine. SamuraiWTF 2.0 is based on Ubuntu 12.04 LTS and uses KDE (by default) - Why there was no SamuraiWTF 1.0 version? The steps below detail how to create a SamuraiWTF 2.0 virtual machine in VMware Player 5 (5.0.0) over Windows 7 (64-bits) and Windows XP (32-bits). The steps required for VMware Player over Linux would be very similar.
Creating a New Virtual Machine
Open VMware Player and create a new virtual machine (VM): [Player] Menu - File - New Virtual Machine... This will launch the "New Virtual Machine Wizard". In the welcome screen select "I will install the operating system later.", and click "Next >". In the "Select a Guest Operating System" select Linux as the "Guest operating system" and Ubuntu as the "Version", and click "Next >".
The "Name the Virtual Machine" window allows you to select the virtual machine name (eg. "SamuraiWTF-2.0"), and indicate where you want to save the new VM (directory, such as "C:\VMWARES\SamuraiWTF-2.0"). Click "Next >". In the "Specify Disk Capacity" screen define the maximum hard disk size (by default, 20 GB). All the other disk capacity options can be left with the default values. Click "Next >".
Finally, the "Ready to Create Virtual Machine" screen details all the VM settings selected, and allows you to modify other settings through the "Customize Hardware..." button. Click this button and access the "Memory" section. Change the amount of RAM to 2048 MB or more from the default of 1024 MB. Access the "New CD/DVD (IDE)" section, select "Use ISO image file:", and browse to the ISO file for SamuraiWTF 2.0 ("SamuraiWTF-2.0-i386.iso") from the "Browse..." button. Once the amount of RAM and the CD/DVD location have been changed, click "Close".Optionally, you can also adjust other settings, such as the network interface type (by default, NAT). From the "Ready to Create Virtual Machine" screen, as the VM is ready to boot, click the "Finish" button.
You need to click the "Power On" button (or "Play virtual machine" link) to power on the VM after creation.
Booting SamuraiWTF 2.0
The recently created VM will start up, using the default Linux boot option, "Start SamuraiWTF". Wait till the SamuraiWTF desktop shows up.
Installing SamuraiWTF 2.0 to the hard disk
NOTE: The screenshots below correspond to VMware Workstation as they are the same exact ones for VMware Player, so I tried not to duplicate work from the previous blog post :o)
Double click the "Install SamuraiWTF 2.0" icon from the desktop and follow the installation wizard. From the "Language" screen select the language for the installation process and click "Continue".
The "Prepare" step recommends to have more than 15GB of free disk space and Internet connectivity. Select the "Download updates while installing" option to get the latest software, and optionally the "Install this third-party software", and click "Continue".
On the "Disk Setup" window leave the default guided disk layout and click on "Install Now".
On the "Timezone" screen select your timezone and, while the installation process starts copying files (a significant time optimization improvement over previous versions, but take into account that it can consume lots of your computer's resources while following the next installation steps), and click "Continue".
On the "Keyboard" screen select your keyboard layout and click "Continue".
On the "User Info" screen select your username and password, plus the hostname. It is highly recommended to change the default SamuraiWTF password (samurai - www.whatisthesamuraipassword.com) and use a long passphrase instead. It is preferable to select a custom hostname that does not include references to SamuraiWTF (by default "samurai-virtual-machine" is pre-filled). Leave the "Require my password to log in" option, although it won't be applied in version 2.0 due to recent changes to fix a very old bug. Click "Continue".
NOTE: A race condition has been identified (sometimes) depending on the time it takes to reach from the "Disk Setup" screen till the "User Info" screen, where the "Keyboard" step will directly jump into the "Install" step, bypassing the "User Info" screen. Quickly moving through the timezone and keyboard setup seems to help to avoid this unexpected behavior. If you suffer this behavior it is recommended to repeat the setup by booting the VM again from the ISO image.
The process will remain on the "Install" screen while all the files are copied and the different system elements are configured.
Once the installation finishes you will get an "Installation Complete" popup. It is recommended to click the "Restart Now" button to start using the SamuraiWTF instance installed on the hard disk, instead of the live instance from the ISO image.
There is a bug in the reboot/shutdown process of the live CD/DVD version, where the message that suggests the user to eject the CD/DVD and press any key to restart/shutdown does not show up. Once you get the following background SamuraiWTF image, press any key to reboot/shutdown the VM.
After rebooting, the VM CD/DVD is not connected, so the system directly boots from the recently installed hard disk. You can unplug the SamuraiWTF ISO image from the CD/DVD by going to the "[Player] Menu - Removable Devices - CD/DVD (IDE) - Settings..." option and selecting "Use physical drive".
Once the new SamuraiWTF VM boots up you will be directly presented with the desktop, where the installation icon is not available anymore, but access to the README and CHANGELOG files, the latest version of the official SamuraiWTF training material in PDF format (as of today, v13 - see more details about upcoming training sessions below) and folders with the output of tools, a few wordlists, and exploit/payloads from several tools.
If you do not see the desktop icons, simply resize the VM window (this seems to be a bug in VMware Player).
Updating VMware Tools
VMware Tools are already installed in SamuraiWTF 2.0, thus you can directly copy & paste between the host and the guest operating systems. However, depending on the VMware version you are using you might want to update VMware Tools.
Go to the "[Player] Menu - Manage - Update VMware Tools..." menu in VMware. Depending on your setup, or if this is the first time you install/update VMware Tools on a Linux VM, VMware might need to download them first. If this is the case, click the "Download and Install" button.
The CD is not automatically mounted on Ubuntu 12.04 if there is no password set for the root user (see related VMware doc), as in SamuraiWTF 2.0, so you need to manually mount the CD and launch the VMware Tools installation process:
$ sudo mount /dev/cdrom /media/cdrom
$ cd /tmp
$ tar xvzf /media/cdrom/VMwareTools-9.0.2-799703.tar.gz
$ cd vmware-tools-distrib/
$ sudo ./vmware-install.pl
...
Follow the installation process and reply with the default answer to all the questions:
- You have a version of VMware Tools installed. Continuing this install will first uninstall the currently installed version. Do you wish to continue? (yes/no) [yes]
- In which directory do you want to install the binary files? [/usr/bin]
...
- Would you like to enable VMware automatic kernel modules? [yes]
- Thinprint provides driver-free printing. Do you wish to enable this feature? [yes]
- Thinprint provides driver-free printing. Do you wish to enable this feature? [yes]
Post installation steps
You can clean up the bash command line history by closing all terminals, launching a new one, and running a couple of commands:
$ > $HOME/.bash_history
$ exit
You can manually remove VMware Tools from /tmp or wait till the next boot for automatic removal.
Your new SamuraiWTF 2.0 VM is ready to run and assist you in your web-app penetration tests! The main constraint in VMware Player (hey... it is free :-) is that you cannot take a VMware snapshot in case you need to restore back to this clean state.
The instructions to create a SamuraiWTF 2.0 virtual machine in VMware Fusion or in VMware Workstation are available on previous blog posts.
Shameless Training Plug
This is an introductory guide to the official "Assessing and Exploiting Web Applications with Samurai-WTF" 2-day training I will be running at the BruCON 2012 conference during September 24-25 in Ghent (Belgium). This training session will be based on the latest SamuraiWTF 2.0 version and its new target web-apps and tools. If you are an OWASP member, you can take advantage of a 10% discount on the training fee.
Monday, September 10, 2012
How to Create a SamuraiWTF 2.0 Virtual Machine in VMware Workstation
The SamuraiWTF (Web Testing Framework) can be run as a live CD/DVD, although when performing web application penetration tests, I like to run it inside a virtual machine. SamuraiWTF 2.0 is based on Ubuntu 12.04 LTS and uses KDE (by default) - Why there was no SamuraiWTF 1.0 version? The steps below detail how to create a SamuraiWTF 2.0 virtual machine in VMware Workstation 8 (8.0.4, although version 9 is available) over Windows 7 (64-bits). The steps required for VMware Workstation over Linux would be very similar.
Creating a New Virtual Machine
Open VMware Workstation and create a new virtual machine (VM): File - New Virtual Machine... This will launch the "New Virtual Machine Wizard". In the welcome screen select "Custom (advanced)", and click "Next >". Choose the VM hardware compatibility as "Workstation 8.0" (default), and click "Next >". In the "Guest Operating System Installation" step, select "Installer disc image file (iso)", browse to the ISO file for SamuraiWTF 2.0 ("SamuraiWTF-2.0-i386.iso"), and click "Next >". In the "Select a Guest Operating System" select Linux as the "Guest operating system" and Ubuntu as the "Version", and click "Next >".
The "Name the Virtual Machine" window allows you to select the virtual machine name (eg. "SamuraiWTF-2.0"), and indicate where you want to save the new VM (directory, such as "C:\VMWARES\SamuraiWTF-2.0"). Click "Next >". The "Processor Configuration" screen allows you to select the number of processors and cores, where the default of "1:1" is fine, for a total of 1 processor core. Click "Next >". The next "Memory for the Virtual Machine" screen allows you to change the amount of RAM to 2048 MB or more from the default of 1024 MB. Click "Next >". In the "Network Type" screen it is possible to select the network interface type (by default, NAT). Click "Next >". The "Select I/O Controllers Type" can be left with the default SCSI controller: "LSI Logic". Click "Next >". In the "Select a Disk" screen it is recommended to "Create a new virtual disk", click "Next >", leave the default disk type in the next screen ("SCSI"), click "Next >", and define the maximum hard disk size (by default, 20 GB). All the other disk capacity options can be left with the default values. Click "Next >". The "Specify Disk File" allows you to provide the exact filename to be used for the VM disk (eg. "SamuraiWTF-2.0.vmdk"). Click "Next >". Finally, the "Ready to Create Virtual Machine" screen details all the VM settings selected, and by default will automatically power on the VM after creation.
As the VM is ready to boot, click the "Finish" button.
Booting SamuraiWTF 2.0
The recently created VM will start up, using the default Linux boot option, "Start SamuraiWTF". Wait till the SamuraiWTF desktop shows up.
Installing SamuraiWTF 2.0 to the hard disk
Double click the "Install SamuraiWTF 2.0" icon from the desktop and follow the installation wizard. From the "Language" screen select the language for the installation process and click "Continue".
The "Prepare" step recommends to have more than 15GB of free disk space and Internet connectivity. Select the "Download updates while installing" option to get the latest software, and optionally the "Install this third-party software", and click "Continue".
On the "Disk Setup" window leave the default guided disk layout and click on "Install Now".
On the "Timezone" screen select your timezone and, while the installation process starts copying files (a significant time optimization improvement over previous versions, but take into account that it can consume lots of your computer's resources while following the next installation steps), and click "Continue".
On the "Keyboard" screen select your keyboard layout and click "Continue".
On the "User Info" screen select your username and password, plus the hostname. It is highly recommended to change the default SamuraiWTF password (samurai - www.whatisthesamuraipassword.com) and use a long passphrase instead. It is preferable to select a custom hostname that does not include references to SamuraiWTF (by default "samurai-virtual-machine" is pre-filled). Leave the "Require my password to log in" option, although it won't be applied in version 2.0 due to recent changes to fix a very old bug. Click "Continue".
NOTE: A race condition has been identified (sometimes) depending on the time it takes to reach from the "Disk Setup" screen till the "User Info" screen, where the "Keyboard" step will directly jump into the "Install" step, bypassing the "User Info" screen. Quickly moving through the timezone and keyboard setup seems to help to avoid this unexpected behavior. If you suffer this behavior it is recommended to repeat the setup by booting the VM again from the ISO image.
The process will remain on the "Install" screen while all the files are copied and the different system elements are configured.
Once the installation finishes you will get an "Installation Complete" popup. It is recommended to click the "Restart Now" button to start using the SamuraiWTF instance installed on the hard disk, instead of the live instance from the ISO image.
There is a bug in the reboot/shutdown process of the live CD/DVD version, where the message that suggests the user to eject the CD/DVD and press any key to restart/shutdown does not show up. Once you get the following background SamuraiWTF image, press any key to reboot/shutdown the VM.
After rebooting, the VM CD/DVD is not connected, so the system directly boots from the recently installed hard disk. You can unplug the SamuraiWTF ISO image from the CD/DVD by going to the VM settings window, using the "CD/DVD (IDE)" icon and selecting "Use physical drive".
Once the new SamuraiWTF VM boots up you will be directly presented with the desktop, where the installation icon is not available anymore, but access to the README and CHANGELOG files, the latest version of the official SamuraiWTF training material in PDF format (as of today, v13 - see more details about upcoming training sessions below) and folders with the output of tools, a few wordlists, and exploit/payloads from several tools.
If you do not see the desktop icons, simply resize the VM window (this seems to be a bug in VMware Workstation).
Updating VMware Tools
VMware Tools are already installed in SamuraiWTF 2.0, thus you can directly copy & paste between the host and the guest operating systems. However, depending on the VMware version you are using you might want to update VMware Tools.
Go to the "VM - Update VMware Tools" menu in VMware. Depending on your setup, or if this is the first time you install/update VMware Tools on a Linux VM, VMware might need to download them first. If this is the case, click the "Download" button. Once they have been downloaded, or if they were already available, click on the "Install" button to connect the VMware Tools CD to the VM.
The CD is not automatically mounted on Ubuntu 12.04 if there is no password set for the root user (see related VMware doc), as in SamuraiWTF 2.0, so you need to manually mount the CD and launch the VMware Tools installation process:
$ sudo mount /dev/cdrom /media/cdrom
$ cd /tmp
$ tar xvzf /media/cdrom/VMwareTools-8.8.4-743747.tar.gz
Post installation steps
You can clean up the bash command line history by closing all terminals, launching a new one, and running a couple of commands:
$ > $HOME/.bash_history
$ exit
You can manually remove VMware Tools from /tmp or wait till the next boot for automatic removal.
Your new SamuraiWTF 2.0 VM is ready to run and assist you in your web-app penetration tests! Do not forget to take a VMware snapshot in case you need to restore back to this clean state.
The instructions to create a SamuraiWTF 2.0 virtual machine in VMware Fusion are available on a previous blog post, as well as for VMware Player.
Shameless Training Plug
This is an introductory guide to the official "Assessing and Exploiting Web Applications with Samurai-WTF" 2-day training I will be running at the BruCON 2012 conference during September 24-25 in Ghent (Belgium). This training session will be based on the latest SamuraiWTF 2.0 version and its new target web-apps and tools. If you are an OWASP member, you can take advantage of a 10% discount on the training fee.
Creating a New Virtual Machine
Open VMware Workstation and create a new virtual machine (VM): File - New Virtual Machine... This will launch the "New Virtual Machine Wizard". In the welcome screen select "Custom (advanced)", and click "Next >". Choose the VM hardware compatibility as "Workstation 8.0" (default), and click "Next >". In the "Guest Operating System Installation" step, select "Installer disc image file (iso)", browse to the ISO file for SamuraiWTF 2.0 ("SamuraiWTF-2.0-i386.iso"), and click "Next >". In the "Select a Guest Operating System" select Linux as the "Guest operating system" and Ubuntu as the "Version", and click "Next >".
The "Name the Virtual Machine" window allows you to select the virtual machine name (eg. "SamuraiWTF-2.0"), and indicate where you want to save the new VM (directory, such as "C:\VMWARES\SamuraiWTF-2.0"). Click "Next >". The "Processor Configuration" screen allows you to select the number of processors and cores, where the default of "1:1" is fine, for a total of 1 processor core. Click "Next >". The next "Memory for the Virtual Machine" screen allows you to change the amount of RAM to 2048 MB or more from the default of 1024 MB. Click "Next >". In the "Network Type" screen it is possible to select the network interface type (by default, NAT). Click "Next >". The "Select I/O Controllers Type" can be left with the default SCSI controller: "LSI Logic". Click "Next >". In the "Select a Disk" screen it is recommended to "Create a new virtual disk", click "Next >", leave the default disk type in the next screen ("SCSI"), click "Next >", and define the maximum hard disk size (by default, 20 GB). All the other disk capacity options can be left with the default values. Click "Next >". The "Specify Disk File" allows you to provide the exact filename to be used for the VM disk (eg. "SamuraiWTF-2.0.vmdk"). Click "Next >". Finally, the "Ready to Create Virtual Machine" screen details all the VM settings selected, and by default will automatically power on the VM after creation.
As the VM is ready to boot, click the "Finish" button.
Booting SamuraiWTF 2.0
The recently created VM will start up, using the default Linux boot option, "Start SamuraiWTF". Wait till the SamuraiWTF desktop shows up.
Installing SamuraiWTF 2.0 to the hard disk
Double click the "Install SamuraiWTF 2.0" icon from the desktop and follow the installation wizard. From the "Language" screen select the language for the installation process and click "Continue".
The "Prepare" step recommends to have more than 15GB of free disk space and Internet connectivity. Select the "Download updates while installing" option to get the latest software, and optionally the "Install this third-party software", and click "Continue".
On the "Disk Setup" window leave the default guided disk layout and click on "Install Now".
On the "Timezone" screen select your timezone and, while the installation process starts copying files (a significant time optimization improvement over previous versions, but take into account that it can consume lots of your computer's resources while following the next installation steps), and click "Continue".
On the "Keyboard" screen select your keyboard layout and click "Continue".
On the "User Info" screen select your username and password, plus the hostname. It is highly recommended to change the default SamuraiWTF password (samurai - www.whatisthesamuraipassword.com) and use a long passphrase instead. It is preferable to select a custom hostname that does not include references to SamuraiWTF (by default "samurai-virtual-machine" is pre-filled). Leave the "Require my password to log in" option, although it won't be applied in version 2.0 due to recent changes to fix a very old bug. Click "Continue".
NOTE: A race condition has been identified (sometimes) depending on the time it takes to reach from the "Disk Setup" screen till the "User Info" screen, where the "Keyboard" step will directly jump into the "Install" step, bypassing the "User Info" screen. Quickly moving through the timezone and keyboard setup seems to help to avoid this unexpected behavior. If you suffer this behavior it is recommended to repeat the setup by booting the VM again from the ISO image.
The process will remain on the "Install" screen while all the files are copied and the different system elements are configured.
Once the installation finishes you will get an "Installation Complete" popup. It is recommended to click the "Restart Now" button to start using the SamuraiWTF instance installed on the hard disk, instead of the live instance from the ISO image.
There is a bug in the reboot/shutdown process of the live CD/DVD version, where the message that suggests the user to eject the CD/DVD and press any key to restart/shutdown does not show up. Once you get the following background SamuraiWTF image, press any key to reboot/shutdown the VM.
After rebooting, the VM CD/DVD is not connected, so the system directly boots from the recently installed hard disk. You can unplug the SamuraiWTF ISO image from the CD/DVD by going to the VM settings window, using the "CD/DVD (IDE)" icon and selecting "Use physical drive".
Once the new SamuraiWTF VM boots up you will be directly presented with the desktop, where the installation icon is not available anymore, but access to the README and CHANGELOG files, the latest version of the official SamuraiWTF training material in PDF format (as of today, v13 - see more details about upcoming training sessions below) and folders with the output of tools, a few wordlists, and exploit/payloads from several tools.
If you do not see the desktop icons, simply resize the VM window (this seems to be a bug in VMware Workstation).
Updating VMware Tools
VMware Tools are already installed in SamuraiWTF 2.0, thus you can directly copy & paste between the host and the guest operating systems. However, depending on the VMware version you are using you might want to update VMware Tools.
Go to the "VM - Update VMware Tools" menu in VMware. Depending on your setup, or if this is the first time you install/update VMware Tools on a Linux VM, VMware might need to download them first. If this is the case, click the "Download" button. Once they have been downloaded, or if they were already available, click on the "Install" button to connect the VMware Tools CD to the VM.
The CD is not automatically mounted on Ubuntu 12.04 if there is no password set for the root user (see related VMware doc), as in SamuraiWTF 2.0, so you need to manually mount the CD and launch the VMware Tools installation process:
$ sudo mount /dev/cdrom /media/cdrom
$ cd /tmp
$ tar xvzf /media/cdrom/VMwareTools-8.8.4-743747.tar.gz
$ cd vmware-tools-distrib/
$ sudo ./vmware-install.pl
...
Follow the installation process and reply with the default answer to all the questions:
- You have a version of VMware Tools installed. Continuing this install will first uninstall the currently installed version. Do you wish to continue? (yes/no) [yes]
- In which directory do you want to install the binary files? [/usr/bin]
...
- Would you like to enable VMware automatic kernel modules? [yes]
Post installation steps
You can clean up the bash command line history by closing all terminals, launching a new one, and running a couple of commands:
$ > $HOME/.bash_history
$ exit
You can manually remove VMware Tools from /tmp or wait till the next boot for automatic removal.
Your new SamuraiWTF 2.0 VM is ready to run and assist you in your web-app penetration tests! Do not forget to take a VMware snapshot in case you need to restore back to this clean state.
The instructions to create a SamuraiWTF 2.0 virtual machine in VMware Fusion are available on a previous blog post, as well as for VMware Player.
Shameless Training Plug
This is an introductory guide to the official "Assessing and Exploiting Web Applications with Samurai-WTF" 2-day training I will be running at the BruCON 2012 conference during September 24-25 in Ghent (Belgium). This training session will be based on the latest SamuraiWTF 2.0 version and its new target web-apps and tools. If you are an OWASP member, you can take advantage of a 10% discount on the training fee.
How to Create a SamuraiWTF 2.0 Virtual Machine in VMware Fusion
The SamuraiWTF (Web Testing Framework) can be run as a live CD/DVD, although when performing web application penetration tests, I like to run it inside a virtual machine. SamuraiWTF 2.0 is based on Ubuntu 12.04 LTS and uses KDE (by default) - Why there was no SamuraiWTF 1.0 version? The steps below detail how to create a SamuraiWTF 2.0 virtual machine in VMware Fusion 5 over Mac OS X Mountain Lion (10.8). The steps required for VMware Fusion 4.x would be very similar, if not the same exact ones.
Creating a New Virtual Machine
Open VMware Fusion and create a new virtual machine (VM): File - New... This will launch the "New Virtual Machine Assistant". In the "Introduction" screen click on "Continue without disc". Select "Create a custom virtual machine" from the "Installation Media" screen, and click "Continue". In the "Operating System" step, select Linux as the "Operating System" and Ubuntu as the "Version", and click "Continue". The "Finish" screen details the VM settings selected.
Click on "Customize Settings" and indicate where you want to save the new VM (directory and filename, such as "SamuraiWTF-2.0.vmwarevm"). VMware will open the settings window. Click on "Processors & Memory" from the "System Settings" section to change the amount of RAM to 2048 MB or more (by default, 1024 MB). You can also adjust other settings, such as the hard disk size (by default, 20 GB), or the network interface type (by default, NAT).
From the "Removable Devices" section, click on "CD/DVD (IDE)", and select the built-in CD/DVD (such as "SuperDrive"). Click on "Chose a disc or disc image..." and select the ISO file for SamuraiWTF 2.0 ("SamuraiWTF-2.0-i386.iso"). Go back to the the settings window, which can be closed at this point, as the VM is ready to boot.
Booting SamuraiWTF 2.0
Start up the recently created VM, using the default Linux boot option, "Start SamuraiWTF", and wait till the SamuraiWTF desktop shows up.
Installing SamuraiWTF 2.0 to the hard disk
Double click the "Install SamuraiWTF 2.0" icon from the desktop and follow the installation wizard. From the "Language" screen select the language for the installation process and click "Continue".
The "Prepare" step recommends to have more than 15GB of free disk space and Internet connectivity. Select the "Download updates while installing" option to get the latest software, and optionally the "Install this third-party software", and click "Continue".
On the "Disk Setup" window leave the default guided disk layout and click on "Install Now".
On the "Timezone" screen select your timezone and, while the installation process starts copying files (a significant time optimization improvement over previous versions, but take into account that it can consume lots of your computer's resources while following the next installation steps), and click "Continue".
On the "Keyboard" screen select your keyboard layout and click "Continue".
On the "User Info" screen select your username and password, plus the hostname. It is highly recommended to change the default SamuraiWTF password (samurai - www.whatisthesamuraipassword.com) and use a long passphrase instead. It is preferable to select a custom hostname that does not include references to SamuraiWTF (by default "samurai-virtual-machine" is pre-filled). Leave the "Require my password to log in" option, although it won't be applied in version 2.0 due to recent changes to fix a very old bug. Click "Continue".
NOTE: A race condition has been identified (sometimes) depending on the time it takes to reach from the "Disk Setup" screen till the "User Info" screen, where the "Keyboard" step will directly jump into the "Install" step, bypassing the "User Info" screen. Quickly moving through the timezone and keyboard setup seems to help to avoid this unexpected behavior. If you suffer this behavior it is recommended to repeat the setup by booting the VM again from the ISO image.
The process will remain on the "Install" screen while all the files are copied and the different system elements are configured.
Once the installation finishes you will get an "Installation Complete" popup. It is recommended to click the "Restart Now" button to start using the SamuraiWTF instance installed on the hard disk, instead of the live instance from the ISO image.
There is a bug in the reboot/shutdown process of the live CD/DVD version, where the message that suggests the user to eject the CD/DVD and press any key to restart/shutdown does not show up. Once you get the following background SamuraiWTF image, press any key to reboot/shutdown the VM.
After rebooting, the VM CD/DVD is automatically turned off, so the system directly boots from the recently installed hard disk. You can unplug the SamuraiWTF ISO image from the CD/DVD by going to the VM settings window, using the "CD/DVD (IDE)" icon and selecting the physical drive.
Once the new SamuraiWTF VM boots up you will be directly presented with the desktop, where the installation icon is not available anymore, but access to the README and CHANGELOG files, the latest version of the official SamuraiWTF training material in PDF format (as of today, v13 - see more details about upcoming training sessions below) and folders with the output of tools, a few wordlists, and exploit/payloads from several tools.
Updating VMware Tools
VMware Tools are already installed in SamuraiWTF 2.0, thus you can directly copy & paste between the host and the guest operating systems. However, depending on the VMware version you are using you might want to update VMware Tools.
Go to the "Virtual Machine - Update VMware Tools" menu in VMware. Depending on your setup, or if this is the first time you install/update VMware Tools on a Linux VM, VMware might need to download them first. If this is the case, click the "Download" button.
Once they have been downloaded, or if they were already available, click on the "Install" button to connect the VMware Tools CD to the VM. The CD is not automatically mounted on Ubuntu 12.04 if there is no password set for the root user (see related VMware doc), as in SamuraiWTF 2.0, so you need to manually mount the CD and launch the VMware Tools installation process:
$ sudo mount /dev/cdrom /media/cdrom
$ cd /tmp
$ tar xvzf /media/cdrom/VMwareTools-9.2.1-818201.tar.gz
Post installation steps
You can clean up the bash command line history by closing all terminals, launching a new one, and running a couple of commands:
$ > $HOME/.bash_history
$ exit
You can manually remove VMware Tools from /tmp or wait till the next boot for automatic removal.
Your new SamuraiWTF 2.0 VM is ready to run and assist you in your web-app penetration tests! Do not forget to take a VMware snapshot in case you need to restore back to this clean state.
The instructions to create a SamuraiWTF 2.0 virtual machine in VMware Workstation are available on another blog post, as well as for VMware Player.
Shameless Training Plug
This is an introductory guide to the official "Assessing and Exploiting Web Applications with Samurai-WTF" 2-day training I will be running at the BruCON 2012 conference during September 24-25 in Ghent (Belgium). This training session will be based on the latest SamuraiWTF 2.0 version and its new target web-apps and tools. If you are an OWASP member, you can take advantage of a 10% discount on the training fee.
Creating a New Virtual Machine
Open VMware Fusion and create a new virtual machine (VM): File - New... This will launch the "New Virtual Machine Assistant". In the "Introduction" screen click on "Continue without disc". Select "Create a custom virtual machine" from the "Installation Media" screen, and click "Continue". In the "Operating System" step, select Linux as the "Operating System" and Ubuntu as the "Version", and click "Continue". The "Finish" screen details the VM settings selected.
Click on "Customize Settings" and indicate where you want to save the new VM (directory and filename, such as "SamuraiWTF-2.0.vmwarevm"). VMware will open the settings window. Click on "Processors & Memory" from the "System Settings" section to change the amount of RAM to 2048 MB or more (by default, 1024 MB). You can also adjust other settings, such as the hard disk size (by default, 20 GB), or the network interface type (by default, NAT).
From the "Removable Devices" section, click on "CD/DVD (IDE)", and select the built-in CD/DVD (such as "SuperDrive"). Click on "Chose a disc or disc image..." and select the ISO file for SamuraiWTF 2.0 ("SamuraiWTF-2.0-i386.iso"). Go back to the the settings window, which can be closed at this point, as the VM is ready to boot.
Booting SamuraiWTF 2.0
Start up the recently created VM, using the default Linux boot option, "Start SamuraiWTF", and wait till the SamuraiWTF desktop shows up.
Installing SamuraiWTF 2.0 to the hard disk
Double click the "Install SamuraiWTF 2.0" icon from the desktop and follow the installation wizard. From the "Language" screen select the language for the installation process and click "Continue".
The "Prepare" step recommends to have more than 15GB of free disk space and Internet connectivity. Select the "Download updates while installing" option to get the latest software, and optionally the "Install this third-party software", and click "Continue".
On the "Disk Setup" window leave the default guided disk layout and click on "Install Now".
On the "Timezone" screen select your timezone and, while the installation process starts copying files (a significant time optimization improvement over previous versions, but take into account that it can consume lots of your computer's resources while following the next installation steps), and click "Continue".
On the "Keyboard" screen select your keyboard layout and click "Continue".
On the "User Info" screen select your username and password, plus the hostname. It is highly recommended to change the default SamuraiWTF password (samurai - www.whatisthesamuraipassword.com) and use a long passphrase instead. It is preferable to select a custom hostname that does not include references to SamuraiWTF (by default "samurai-virtual-machine" is pre-filled). Leave the "Require my password to log in" option, although it won't be applied in version 2.0 due to recent changes to fix a very old bug. Click "Continue".
NOTE: A race condition has been identified (sometimes) depending on the time it takes to reach from the "Disk Setup" screen till the "User Info" screen, where the "Keyboard" step will directly jump into the "Install" step, bypassing the "User Info" screen. Quickly moving through the timezone and keyboard setup seems to help to avoid this unexpected behavior. If you suffer this behavior it is recommended to repeat the setup by booting the VM again from the ISO image.
The process will remain on the "Install" screen while all the files are copied and the different system elements are configured.
Once the installation finishes you will get an "Installation Complete" popup. It is recommended to click the "Restart Now" button to start using the SamuraiWTF instance installed on the hard disk, instead of the live instance from the ISO image.
There is a bug in the reboot/shutdown process of the live CD/DVD version, where the message that suggests the user to eject the CD/DVD and press any key to restart/shutdown does not show up. Once you get the following background SamuraiWTF image, press any key to reboot/shutdown the VM.
After rebooting, the VM CD/DVD is automatically turned off, so the system directly boots from the recently installed hard disk. You can unplug the SamuraiWTF ISO image from the CD/DVD by going to the VM settings window, using the "CD/DVD (IDE)" icon and selecting the physical drive.
Once the new SamuraiWTF VM boots up you will be directly presented with the desktop, where the installation icon is not available anymore, but access to the README and CHANGELOG files, the latest version of the official SamuraiWTF training material in PDF format (as of today, v13 - see more details about upcoming training sessions below) and folders with the output of tools, a few wordlists, and exploit/payloads from several tools.
Updating VMware Tools
VMware Tools are already installed in SamuraiWTF 2.0, thus you can directly copy & paste between the host and the guest operating systems. However, depending on the VMware version you are using you might want to update VMware Tools.
Go to the "Virtual Machine - Update VMware Tools" menu in VMware. Depending on your setup, or if this is the first time you install/update VMware Tools on a Linux VM, VMware might need to download them first. If this is the case, click the "Download" button.
Once they have been downloaded, or if they were already available, click on the "Install" button to connect the VMware Tools CD to the VM. The CD is not automatically mounted on Ubuntu 12.04 if there is no password set for the root user (see related VMware doc), as in SamuraiWTF 2.0, so you need to manually mount the CD and launch the VMware Tools installation process:
$ sudo mount /dev/cdrom /media/cdrom
$ cd /tmp
$ tar xvzf /media/cdrom/VMwareTools-9.2.1-818201.tar.gz
$ cd vmware-tools-distrib/
$ sudo ./vmware-install.pl
...
Follow the installation process and reply with the default answer to all the questions:
- You have a version of VMware Tools installed. Continuing this install will first uninstall the currently installed version. Do you wish to continue? (yes/no) [yes]
- In which directory do you want to install the binary files? [/usr/bin]
...
- Thinprint provides driver-free printing. Do you wish to enable this feature? [yes]
Post installation steps
You can clean up the bash command line history by closing all terminals, launching a new one, and running a couple of commands:
$ > $HOME/.bash_history
$ exit
You can manually remove VMware Tools from /tmp or wait till the next boot for automatic removal.
Your new SamuraiWTF 2.0 VM is ready to run and assist you in your web-app penetration tests! Do not forget to take a VMware snapshot in case you need to restore back to this clean state.
The instructions to create a SamuraiWTF 2.0 virtual machine in VMware Workstation are available on another blog post, as well as for VMware Player.
Shameless Training Plug
This is an introductory guide to the official "Assessing and Exploiting Web Applications with Samurai-WTF" 2-day training I will be running at the BruCON 2012 conference during September 24-25 in Ghent (Belgium). This training session will be based on the latest SamuraiWTF 2.0 version and its new target web-apps and tools. If you are an OWASP member, you can take advantage of a 10% discount on the training fee.
Monday, April 23, 2012
OWASP ZAP SmartCard Project
OWASP ZAP (Zed Attack Proxy) has become THE open-source web application interception proxy and security auditing tool, replacing well known open-source players in this field we have been using all over the last decade, such as Paros, WebScarab, or AndiParos. The tool is under active development nowadays, with new features and fixes added every other month, and with more to come, for example, from GSoC 2012. As a result of this tool progression and consolidation, ZAP was recently awarded the Toolsmith of the Year for 2011.
Some time after Paros was discontinued (v3.2.13 back in August 2006), new fork projects derived from Paros' source code were born. Surprisingly, as this behavior is not common in our industry, Psiinon (author of the original ZAP tool) and Axel (author of AndiParos), left their egos apart :-) and took a really smart decision: They joined forces to develop a single and powerful web application security tool, instead of developing two very similar but less powerful tools. The result is what we know today as OWASP ZAP!
However, inexplicably still today Paros is downloaded more than 2,500 times per week from the SourceForge.net project page, while the latest ZAP stable version (1.3.4) has been downloaded only 15,000 times in total during the last 5 months (based on the official open-source platforms statistics). This demonstrates people are used to their routines, and that there is still a lot of work to do to promote and spread the word about the existence of ZAP, its features, and benefits.
ZAP considerably and brightly stays on top of other commercial and open-source web application security tools and web interception proxies when assessing the security of web applications making use of smartcard-based authentication. When a target web application requests client authentication through digital certificates during the SSL/TLS handshake (re)negotiation, ZAP is able to access the local smartcard and authenticate the user as she would do when no interception proxy is in place. ZAP provides support for multiple smartcard types under different operating systems (Windows, Linux, and Mac OS X) thanks to the Java smartcard built-in capabilities and its integration with PKCS#11 hardware modules. The original ZAP smartcard support (from version 1.1.0) was merged by Axel from Andiparos. The current ZAP smartcard support has been greatly simplified through the drivers.xml configuration file. This XML file offers a centralized and extensible architecture to easily add support for new smartcards.
Although other security tools provide support for client digital certificates (x.509 certificates obtained from a file, referred as PKCS#12), we have identified both significant and subtle differences in several target web applications in the way they interact and authenticate the user when using a standard client digital certificate versus a smartcard. Hence, the need to be able to assess how the application behaves when a smartcard is involved.
ZAP smartcard support can be found under the "Tools - Options" menu, within the "Certificate" category, and specifically, on the "PCKS#11" tab:
As a result of my research focused on the security of web applications based on the DNIe, I have been working on and committing code to ZAP to improve the stability and usage of smartcards, using the Spanish national eID (DNIe) as a reference. For example, capabilities to interact with target web applications that still provide support for unsafe SSL/TLS (HTTPS) renegotiation have been added (see my original blog post on this topic from two years ago), as well as minor fixes for several bugs and issues found during the execution of multiple web application penetration tests on DNIe-based environments. One of the key fixes was an improvement to overcome PKCS#11 concurrency access conflicts between ZAP and web browsers (such as Firefox).
Additionally, the Spanish DNIe implements brute-force protection capabilities by blocking the smartcard after three login attempts when the user fails to enter the associated access PIN or passcode. Once the DNIe is locked, the only chance to unlock it requires Spanish citizens to go to the police station and follow a custom unlocking procedure. There (in the police station), you can find proprietary DNIe kiosks that allow citizens to authenticate through their fingerprint, stored within a secure area of the smartcard at issuing time, and proceed to change the DNIe access PIN or passcode. In order to avoid frequent visits to the police station by security auditors and pentesters using their DNIe (or any other eID smartcard) while assessing the security of web applications, and entering by mistake the wrong PIN or passcode in ZAP, the tool now implements specific checks and warning messages to alert the user about failed login attempts, trying to avoid blocking the smartcard after three failed access attempts.
All this DNIe-related functionality has been available on the official ZAP SVN repository since revision 1209, live at RootedCON 2012 (check how to build ZAP from source code), and is currently available on the latest downloadable version, ZAP 1.4.0.1.
To extend this previous research and the implementation already available within ZAP, I have launched a new ZAP-related project focused on improving the support of smartcard-based authentication within ZAP to other eID cards. More information about the "OWASP ZAP SmartCard Project" can be found at ZAP's official wiki.
The purpose of this project is to extend the currently available smartcard support within ZAP to other national eID cards worldwide (apart from the Belgium, Swiss, and Spanish eID's), as well as, to other proprietary smartcard solutions from commercial vendors (apart from ActivIdentity, Aladdin, or Axalto). The goal is for ZAP to provide the widest smartcard support within the web application security industry to be able to assess the security of any web application using smartcards and eIDs for authentication purposes through HTTPS (SSL/TLS). Besides that and based on my previous experience, the complementary goal is to extend ZAP with new features that might be required to deal with and manage the different smartcard types.
The current set of supported smartcards within ZAP can be found at ZAP's official wiki. This wiki page will be updated as soon as we add support for new smartcards within ZAP, although you can always directly check the "drivers.xml" file from the latest SVN revision. The draft list of countries that already provide eIDs (electronic-based identification for their citizens) I am aware of is available on the same page (we hope to add support for all or most of them over the following months with the help of the web application development and security communities).
The new "OWASP ZAP SmartCard Project" requires the implication of the community around the world to provide details and help to test new smartcard types. If you are interested on contributing to it, send me an e-mail or write to the OWASP ZAP Google group (mailing list). You can contribute in very different ways: from providing details about the existence of a new smartcard that is used in your country of origin or residence (or commercial smartcards used) for web-based authentication, as well as using ZAP to evaluate the security of smartcard-based web applications and report bugs or any other issues you may find, up to contributing new drivers.xml entries for new smartcards or additional operating systems.
At the end of September I will be talking about the "Security of National eID (smartcard-based) Web Applications" during the BruCON 2012 security conference in Ghent (Belgium) - first talks pre-release - and running the "Assessing and Exploiting Web Applications with Samurai-WTF" training.
Some time after Paros was discontinued (v3.2.13 back in August 2006), new fork projects derived from Paros' source code were born. Surprisingly, as this behavior is not common in our industry, Psiinon (author of the original ZAP tool) and Axel (author of AndiParos), left their egos apart :-) and took a really smart decision: They joined forces to develop a single and powerful web application security tool, instead of developing two very similar but less powerful tools. The result is what we know today as OWASP ZAP!
However, inexplicably still today Paros is downloaded more than 2,500 times per week from the SourceForge.net project page, while the latest ZAP stable version (1.3.4) has been downloaded only 15,000 times in total during the last 5 months (based on the official open-source platforms statistics). This demonstrates people are used to their routines, and that there is still a lot of work to do to promote and spread the word about the existence of ZAP, its features, and benefits.
ZAP considerably and brightly stays on top of other commercial and open-source web application security tools and web interception proxies when assessing the security of web applications making use of smartcard-based authentication. When a target web application requests client authentication through digital certificates during the SSL/TLS handshake (re)negotiation, ZAP is able to access the local smartcard and authenticate the user as she would do when no interception proxy is in place. ZAP provides support for multiple smartcard types under different operating systems (Windows, Linux, and Mac OS X) thanks to the Java smartcard built-in capabilities and its integration with PKCS#11 hardware modules. The original ZAP smartcard support (from version 1.1.0) was merged by Axel from Andiparos. The current ZAP smartcard support has been greatly simplified through the drivers.xml configuration file. This XML file offers a centralized and extensible architecture to easily add support for new smartcards.
Although other security tools provide support for client digital certificates (x.509 certificates obtained from a file, referred as PKCS#12), we have identified both significant and subtle differences in several target web applications in the way they interact and authenticate the user when using a standard client digital certificate versus a smartcard. Hence, the need to be able to assess how the application behaves when a smartcard is involved.
ZAP smartcard support can be found under the "Tools - Options" menu, within the "Certificate" category, and specifically, on the "PCKS#11" tab:
As a result of my research focused on the security of web applications based on the DNIe, I have been working on and committing code to ZAP to improve the stability and usage of smartcards, using the Spanish national eID (DNIe) as a reference. For example, capabilities to interact with target web applications that still provide support for unsafe SSL/TLS (HTTPS) renegotiation have been added (see my original blog post on this topic from two years ago), as well as minor fixes for several bugs and issues found during the execution of multiple web application penetration tests on DNIe-based environments. One of the key fixes was an improvement to overcome PKCS#11 concurrency access conflicts between ZAP and web browsers (such as Firefox).
Additionally, the Spanish DNIe implements brute-force protection capabilities by blocking the smartcard after three login attempts when the user fails to enter the associated access PIN or passcode. Once the DNIe is locked, the only chance to unlock it requires Spanish citizens to go to the police station and follow a custom unlocking procedure. There (in the police station), you can find proprietary DNIe kiosks that allow citizens to authenticate through their fingerprint, stored within a secure area of the smartcard at issuing time, and proceed to change the DNIe access PIN or passcode. In order to avoid frequent visits to the police station by security auditors and pentesters using their DNIe (or any other eID smartcard) while assessing the security of web applications, and entering by mistake the wrong PIN or passcode in ZAP, the tool now implements specific checks and warning messages to alert the user about failed login attempts, trying to avoid blocking the smartcard after three failed access attempts.
All this DNIe-related functionality has been available on the official ZAP SVN repository since revision 1209, live at RootedCON 2012 (check how to build ZAP from source code), and is currently available on the latest downloadable version, ZAP 1.4.0.1.
To extend this previous research and the implementation already available within ZAP, I have launched a new ZAP-related project focused on improving the support of smartcard-based authentication within ZAP to other eID cards. More information about the "OWASP ZAP SmartCard Project" can be found at ZAP's official wiki.
The purpose of this project is to extend the currently available smartcard support within ZAP to other national eID cards worldwide (apart from the Belgium, Swiss, and Spanish eID's), as well as, to other proprietary smartcard solutions from commercial vendors (apart from ActivIdentity, Aladdin, or Axalto). The goal is for ZAP to provide the widest smartcard support within the web application security industry to be able to assess the security of any web application using smartcards and eIDs for authentication purposes through HTTPS (SSL/TLS). Besides that and based on my previous experience, the complementary goal is to extend ZAP with new features that might be required to deal with and manage the different smartcard types.
The current set of supported smartcards within ZAP can be found at ZAP's official wiki. This wiki page will be updated as soon as we add support for new smartcards within ZAP, although you can always directly check the "drivers.xml" file from the latest SVN revision. The draft list of countries that already provide eIDs (electronic-based identification for their citizens) I am aware of is available on the same page (we hope to add support for all or most of them over the following months with the help of the web application development and security communities).
The new "OWASP ZAP SmartCard Project" requires the implication of the community around the world to provide details and help to test new smartcard types. If you are interested on contributing to it, send me an e-mail or write to the OWASP ZAP Google group (mailing list). You can contribute in very different ways: from providing details about the existence of a new smartcard that is used in your country of origin or residence (or commercial smartcards used) for web-based authentication, as well as using ZAP to evaluate the security of smartcard-based web applications and report bugs or any other issues you may find, up to contributing new drivers.xml entries for new smartcards or additional operating systems.
At the end of September I will be talking about the "Security of National eID (smartcard-based) Web Applications" during the BruCON 2012 security conference in Ghent (Belgium) - first talks pre-release - and running the "Assessing and Exploiting Web Applications with Samurai-WTF" training.
Tuesday, April 10, 2012
DNIe-based Web Applications Security
Early last month the third edition of Rooted CON took place in Madrid, Rooted CON 2012, with great contents and very interesting topics. During the last day of the conference I presented the results of the research I've been involved in during 2011 and early 2012, focused on the security of web applications based on the Spanish electronic identity card or eID (electronic ID) smartcard, called DNIe ("Documento Nacional de Identidad electrónico", electronic National Identity Card).
The DNIe (or eDNI) is the electronic version of the national ID card for Spanish citizens, and it is currently used to access a great variety of digital services from public and private sectors all over the country, including eGovernment services and web portals plus services from financial institutions, insurance and telecomunication companies, or utility companies (gas, water, electricity...).
Therefore, the DNIe is a key element to authenticate and identify users (Spanish citizens) within private and public critical web applications and services in today's information society in Spain. However, due to the limitations to interact with smartcards and, in particular, the DNIe of the currently available web auditing and pen-testing security tools... ¿are we really sure that the DNIe-based web application and services are secure? The DNIe is (assumed to be) secure, but... ¿is it used in a secure way? ¿Are the web-based client components associated to the DNIe secure? The presentation explored all these questions through new tools, real-world scenarios, and practical demonstrations.
The DNIe is an ISO 7816 smartcard (an evolution from PCKS#15), that contains a pair of X.509 digital certificates plus the associated public and private keys. One certificate is used for authentication/identification purposes (KeyUsage = Digital Signature) while the other is used for signature purposes (KeyUsage = contentCommitment). It is important to emphasize that the latter has legal validity, similar to a traditional manuscript signature, what makes the DNIe a recognized CWA 14169 secure signature-creation device (EAL4+).
So far, the main DNIe (or generally speaking, smartcard) security threats assume the attacker was able to get physical access to the smartcard and the associated PIN/passcode, or was able to compromise the victim's computer where the smartcard is plugged to and used from. A couple of examples are last year's Rooted CON 2011 research on using a DNIe remotely through a proxying computer, “Man-In-Remote: PKCS11 for fun and non-profit” by Gabriel González, or the Sykipot trojan, targeting US DoD smartcards (ActivClient), reported by AlienVault.
Considering Spain is the worldwide leader on digital identity and signature, with more than 25 million DNIe issued as of September 29, 2011 (since this +341 million euros project started in 2005), I feel we should lead too the security implications of web applications making use of the DNIe and similar smartcard solutions. In the same way Spain was significantly ahead on the "Monitoring eAccessibility in Europe: 2011 Annual Report", we must be ahead on the next eSecurity report (if any) too, both on the public and private sectors. It seems there are at least 26 countries worldwide providing smartcard-based (or digital certificate based) identification and signature solutions to their citizens, therefore this research has to be extended to other smartcard types and scenarios (see [0]).
I presented together with the smart and fun José A. Guasch, security researcher and one of the editors of the security-related Spanish blog Security By Default, as a while ago we realized we were researching about different (but related) security aspects of DNIe-based web applications, so our findings fit perfectly for a joint presentation on this topic.
From a technical side, I talked about the authentication and signature capabilities of web applications based on the DNIe, and the three main vulnerable areas: HTTPS (SSL/TLS), user authentication and registration through the DNIe, and session management in web applications. I have published details and tools previously on the first (HTTPS) and last (session management) topics, so the main focus was on the web interaction with the DNIe (and smartcards in general). During the talk I published live the new DNIe capabilities for web application pen-testers through the OWASP ZAP SVN repository (SVN official revision 1209 - drivers.xml file). These new capabilities are available on the ZAP SVN branch as well as the OWASP ZAP 1.4.x version, published yesterday (see [0]).
The presentation covers in depth how to interact with PKCS#11 smartcard devices from Java, and how ZAP smartcard support has been enhanced with DNIe capabilities, stability fixes, and new functionality for the three most common pen-testing platforms: Windows, Linux, and Mac OS X. Additionally, the second portion of my talk presented the results and statistics (plus the associated recommendations) obtained from pen-testing the DNIe capabilities of 15 critical web applications during 2011. The impact of the different vulnerabilities and weaknesses identified on this type of applications is very significant, specially considering the perceived extra security and confidence in the usage of smartcard authentication. If DNIe-based web applications are not securely architected and developed, an attacker can decrypt the victim's web traffic, launch Man-in-the-Middle (MitM) attacks, and manipulate the user registration and authentication processes, plus the user session, to fully impersonate legitimate users in the target web application. Unfortunately, based on the results obtained from these pen-tests there is still a long way to walk to be able to assert that relevant web applications making use of the DNIe are secure.
José talked about the overall security, as well as specific vulnerabilities, that can be found on the client-side components used by web applications (Java applets and ActiveX controls) that interact with the DNIe. These components access the DNIe to (sometimes) provide authentication capabilities and (mainly) verify and generate digital signatures. More information is available on the associated Security By Default blog post(s) (in Spanish).
This research, plus the additions we are currently working on, are going to be contributed over time to the OWASP DNIe project (in Spanish). This open initiative was launched in June 2011 with the goal of evaluating and improving the security of web applications based on the DNIe.
The presentation (in Spanish) can be downloaded from Taddong's lab in PDF format and it is also available on-line (SlideShare) from the Rooted CON papers/talks archive.
[0]: More specific smartcard and DNIe-related ZAP details, as well as extended research I'm working on, will be published on a near future Taddong's blog post.
The DNIe (or eDNI) is the electronic version of the national ID card for Spanish citizens, and it is currently used to access a great variety of digital services from public and private sectors all over the country, including eGovernment services and web portals plus services from financial institutions, insurance and telecomunication companies, or utility companies (gas, water, electricity...).
Therefore, the DNIe is a key element to authenticate and identify users (Spanish citizens) within private and public critical web applications and services in today's information society in Spain. However, due to the limitations to interact with smartcards and, in particular, the DNIe of the currently available web auditing and pen-testing security tools... ¿are we really sure that the DNIe-based web application and services are secure? The DNIe is (assumed to be) secure, but... ¿is it used in a secure way? ¿Are the web-based client components associated to the DNIe secure? The presentation explored all these questions through new tools, real-world scenarios, and practical demonstrations.
The DNIe is an ISO 7816 smartcard (an evolution from PCKS#15), that contains a pair of X.509 digital certificates plus the associated public and private keys. One certificate is used for authentication/identification purposes (KeyUsage = Digital Signature) while the other is used for signature purposes (KeyUsage = contentCommitment). It is important to emphasize that the latter has legal validity, similar to a traditional manuscript signature, what makes the DNIe a recognized CWA 14169 secure signature-creation device (EAL4+).
So far, the main DNIe (or generally speaking, smartcard) security threats assume the attacker was able to get physical access to the smartcard and the associated PIN/passcode, or was able to compromise the victim's computer where the smartcard is plugged to and used from. A couple of examples are last year's Rooted CON 2011 research on using a DNIe remotely through a proxying computer, “Man-In-Remote: PKCS11 for fun and non-profit” by Gabriel González, or the Sykipot trojan, targeting US DoD smartcards (ActivClient), reported by AlienVault.
Considering Spain is the worldwide leader on digital identity and signature, with more than 25 million DNIe issued as of September 29, 2011 (since this +341 million euros project started in 2005), I feel we should lead too the security implications of web applications making use of the DNIe and similar smartcard solutions. In the same way Spain was significantly ahead on the "Monitoring eAccessibility in Europe: 2011 Annual Report", we must be ahead on the next eSecurity report (if any) too, both on the public and private sectors. It seems there are at least 26 countries worldwide providing smartcard-based (or digital certificate based) identification and signature solutions to their citizens, therefore this research has to be extended to other smartcard types and scenarios (see [0]).
I presented together with the smart and fun José A. Guasch, security researcher and one of the editors of the security-related Spanish blog Security By Default, as a while ago we realized we were researching about different (but related) security aspects of DNIe-based web applications, so our findings fit perfectly for a joint presentation on this topic.
From a technical side, I talked about the authentication and signature capabilities of web applications based on the DNIe, and the three main vulnerable areas: HTTPS (SSL/TLS), user authentication and registration through the DNIe, and session management in web applications. I have published details and tools previously on the first (HTTPS) and last (session management) topics, so the main focus was on the web interaction with the DNIe (and smartcards in general). During the talk I published live the new DNIe capabilities for web application pen-testers through the OWASP ZAP SVN repository (SVN official revision 1209 - drivers.xml file). These new capabilities are available on the ZAP SVN branch as well as the OWASP ZAP 1.4.x version, published yesterday (see [0]).
The presentation covers in depth how to interact with PKCS#11 smartcard devices from Java, and how ZAP smartcard support has been enhanced with DNIe capabilities, stability fixes, and new functionality for the three most common pen-testing platforms: Windows, Linux, and Mac OS X. Additionally, the second portion of my talk presented the results and statistics (plus the associated recommendations) obtained from pen-testing the DNIe capabilities of 15 critical web applications during 2011. The impact of the different vulnerabilities and weaknesses identified on this type of applications is very significant, specially considering the perceived extra security and confidence in the usage of smartcard authentication. If DNIe-based web applications are not securely architected and developed, an attacker can decrypt the victim's web traffic, launch Man-in-the-Middle (MitM) attacks, and manipulate the user registration and authentication processes, plus the user session, to fully impersonate legitimate users in the target web application. Unfortunately, based on the results obtained from these pen-tests there is still a long way to walk to be able to assert that relevant web applications making use of the DNIe are secure.
José talked about the overall security, as well as specific vulnerabilities, that can be found on the client-side components used by web applications (Java applets and ActiveX controls) that interact with the DNIe. These components access the DNIe to (sometimes) provide authentication capabilities and (mainly) verify and generate digital signatures. More information is available on the associated Security By Default blog post(s) (in Spanish).
This research, plus the additions we are currently working on, are going to be contributed over time to the OWASP DNIe project (in Spanish). This open initiative was launched in June 2011 with the goal of evaluating and improving the security of web applications based on the DNIe.
The presentation (in Spanish) can be downloaded from Taddong's lab in PDF format and it is also available on-line (SlideShare) from the Rooted CON papers/talks archive.
[0]: More specific smartcard and DNIe-related ZAP details, as well as extended research I'm working on, will be published on a near future Taddong's blog post.
Sunday, February 19, 2012
OWASP Session Management Cheat Sheet (v2.0) & Podcast
On July 2011 the OWASP Session Management CheatSheet was released with the main goal of becoming a useful security reference for web application architects, developers, and security professionals. The document tries to summarize in a concise way all the best practices, recommendations, and countermeasures required to improve the security of today's session management implementations in web applications. The results on our web application penetration tests over the last few years, unfortunately, ratify that session management vulnerabilities are very common and widely prevalent in critical web applications still today.
Jim Manico gave me the opportunity to include this content in the famous OWASP CheatSheet series and talk about this topic. As a result, OWASP Podcast number 90, "Raul Siles", has been released (check the whole OWASP Podcast series). Thanks Jim!
Around October 2011 I slightly updated the official CheatSheet version in the OWASP Wiki, and last week, in sync with the podcast release, I've published a new version (v2.0). This updated downloadable version (in PDF format) includes the updates from October (check the Wiki and document changelog) plus a new feature I plan to expand in future versions of this document: It includes additional session management references to attacks, pen-testing and auditing techniques, tools, and demonstrations complementing the original security countermeasures and defensive recommendations.
Jim Manico gave me the opportunity to include this content in the famous OWASP CheatSheet series and talk about this topic. As a result, OWASP Podcast number 90, "Raul Siles", has been released (check the whole OWASP Podcast series). Thanks Jim!
Around October 2011 I slightly updated the official CheatSheet version in the OWASP Wiki, and last week, in sync with the podcast release, I've published a new version (v2.0). This updated downloadable version (in PDF format) includes the updates from October (check the Wiki and document changelog) plus a new feature I plan to expand in future versions of this document: It includes additional session management references to attacks, pen-testing and auditing techniques, tools, and demonstrations complementing the original security countermeasures and defensive recommendations.
This new version, v2.0, includes the first 10 references/demos, including the OWASP Cookie Database Project, the BIG-‐IP_cookie_decoder.py and TLSSLed tools, the OddJob session hijacking banking trojan, and more.
I encourage everybody involved in web applications security to review the OWASP Session Management CheatSheet, apply its contents to the currently available web applications and implementations, help spreading the word and contribute to it.
I encourage everybody involved in web applications security to review the OWASP Session Management CheatSheet, apply its contents to the currently available web applications and implementations, help spreading the word and contribute to it.
Image src: http://www.gabrielwoo.com/cookie-monster.jpg
Friday, February 10, 2012
Building OWASP ZAP Using Eclipse IDE for Java… Pen-Testers (v2.0)
The OWASP Zed Attack Proxy (ZAP) is the Toolsmith Tool of the Year for 2011. Last Summer, the "Building OWASP ZAP Using Eclipse IDE for Java... Pen-Testers" (version 1.0) was published, and as the beggining of 2012 seems to be the time for second editions of my work ;-) (check the upcoming blog post with v2.0 of the "OWASP Session Management CheatSheet"), a new version of the guide has been released.
This new "Building OWASP ZAP Using Eclipse IDE for Java... Pen-Testers" (version 2.0), available for download from Taddong's Lab, includes significant changes from the first version. It provides an updated development environment not only to get and build the latest ZAP version from the official SVN repository, but to easily commit your changes if you want to contribute to the ZAP project. The proposed environment is more user friendly than in the first version, without requiring any external SVN client. Eclipse and Subclipse provide all the development and SVN capabilities integrated into the same tool. The guide also references the recent OWASP ZAP Extensions project and provides guidance to manage Java (JRE or JDK) updates in Eclipse.
I encourage everyone involved in Web Application Security, from architects to developers, Q&A, auditors, and pen-testers, to take a look at OWASP ZAP, the OWASP ZAP Extensions, and use this new building ZAP guide to enjoy the most current version from SVN and contribute to the project. The official "Building ZAP" Wiki has been updated to link to both versions of this guide.
NOTE: I will be talking about OWASP ZAP and release new smartcard features during my Rooted CON 2012 talk: "Security of Web Applications using the (Spanish) eID" ("Seguridad de aplicaciones web basadas en el DNIe", in Spanish).
This new "Building OWASP ZAP Using Eclipse IDE for Java... Pen-Testers" (version 2.0), available for download from Taddong's Lab, includes significant changes from the first version. It provides an updated development environment not only to get and build the latest ZAP version from the official SVN repository, but to easily commit your changes if you want to contribute to the ZAP project. The proposed environment is more user friendly than in the first version, without requiring any external SVN client. Eclipse and Subclipse provide all the development and SVN capabilities integrated into the same tool. The guide also references the recent OWASP ZAP Extensions project and provides guidance to manage Java (JRE or JDK) updates in Eclipse.
I encourage everyone involved in Web Application Security, from architects to developers, Q&A, auditors, and pen-testers, to take a look at OWASP ZAP, the OWASP ZAP Extensions, and use this new building ZAP guide to enjoy the most current version from SVN and contribute to the project. The official "Building ZAP" Wiki has been updated to link to both versions of this guide.
NOTE: I will be talking about OWASP ZAP and release new smartcard features during my Rooted CON 2012 talk: "Security of Web Applications using the (Spanish) eID" ("Seguridad de aplicaciones web basadas en el DNIe", in Spanish).
Subscribe to:
Posts (Atom)