Security Testing for entities hosted in cloud

For the applications that are getting migrated to cloud / planned to be hosted in the cloud will need additional security considerations. Failure to ensure proper security protection when using cloud services may potentially result in higher costs and loss to business. Organizations must consider security controls for different services viz. Infrastructures as a service(Iaas), Software as a service (SaaS) or Platform as a service. Which applications should be moved to cloud?     ·         Low to Medium Risk What are the key security risks while hosting in cloud?     ·         Isolation Failure – Multi tenancy is a key thing in cloud. Failure in controls that separate the storage, memory, identity and access control and routing between tenants is a huge risk.     ·         Authentication and Authorization     ·...
Post a Comment

Packet Capture - Wireshark and TCPDUMP

If you are a Penetration tester then you already know the importance of this topic. This is like the first and foremost thing that an experienced penetration tester would do before they even fire the first tool to recon the target. Even though you take all the authorizations before conducting the penetration tests, you never know when you might need this packet capture to prove your action. The other benefits of packet capture comes from the aid that it provides in doing a deep dive into the wires / wireless ;) and help you gather the required information.
Mastering the art of Packet capture is a major plus point for your security assessments.
While the most commonly used GUI is Wireshark and the most popular amongst the console lovers is TCPDUMP.

Although i am not against Wireshark, however, since wireshark itself has vulnerabilities :) it becomes an additional responsibility to keep it patched and updated to avoid getting hacked.
Lets cover the basics of each of these tools.


[1] Wireshark

The download instructions and usage can be found at https://www.wireshark.org/
We will focus on the Capture filters and Display filters which are most important for capturing only the traffic that you are interested into and then analyzing the traffic so that it makes sense.
By default if you launch wireshark and start capturing you will end up into capturing heaps of packets from all the applications and browsers on your system and of course the capture file size will shoot up. You don’t want this to happen – Right.
Refer the capture filters here: https://wiki.wireshark.org/CaptureFilters
Open Wireshark GUI and click Capture > Options
Select the interface on which you want to monitor the traffic.

Capture Filter
Click on capture filter and set you options.
For example if you want to monitor traffic only to and from https://www.google.com.au then you filter will be: host http://www.google.com.au and port 443
We will also rotate the logs to ensure we do not end up getting a single capture file of 5 GB :P

Capture Filter2
Once the interface, Capture filter and log files are set we are good to Start the capture.

Capture Filter3
Note the Green color in the capture filter :) If your filter is not correct it will be red :P
Click on start.

Now you should see in wireshark the traffic to and from https://www.google.com.au
Now next is use of Display filters to narrow down on some specific information that you might want to see:
Well since in this example we used ‘https’ you know that there is nothing that you can see in the traffic as such as it is encrypted. However when you you this in your pen test your target may or may not be on https. and there are many more useful ports and other filters you might want to use.

packetlife guys have created a fantasic list here 

Pro Tip: Finally once you are done with your analysis DO NOT forget to Stop the packet capture. Its a common observation that one of the team member forgets to stop the packet capture and the next day your pen-testing machine is down as there is no / very low disk space :)
Ideally the packet capture files should be stored in a network share. The capture filters we discussed earlier will help to reduce the file size.

[2] TCPDUMP

Well there is really no point in reinventing the wheel. There is an excellent post here.
You can use this every-time for setting up your tcpdump.

Here is what I would mostly use: (The bold and italics text are to be replaced with the actual values during the test)

tcpdump -i eth1 -nq -s0 -c100 -w /root/packetcapture_hostip_’date+”%Y%m%d_%H%M%S”‘.pcap host pentetmachine_IP

So that's all for now. Enjoy these fantastic tools and Happy packet capturing.

Comments

Post a Comment

Popular posts from this blog

Change the default SSH keys in Kali Linux ......One important step post installation

All of know that we can authenticate to a box without password if you have the SSH keys. The Kali images have known ssh keys and must be changed.  Here is how you can do this:  Move the default Kali ssh keys to a new folder: cd /etc/ssh/ mkdir default_kali_keys mv ssh_host_* default_kali_keys/ This will move your default keys to the new folder... Regenerate the keys: dpkg-reconfigure openssh-server Creating SSH2 RSA key; this may take some time ... Creating SSH2 DSA key; this may take some time ... Creating SSH2 ECDSA key; this may take some time ... insserv: warning: current start runlevel(s) (empty) of script `ssh' overrides LSB defaults (2 3 4 5). insserv: warning: current stop runlevel(s) (2 3 4 5) of script `ssh' overrides LSB defaults (empty). Verify ssh key hashes are different: md5sum ssh_host_* Compare new key hashes to the hashes below) cd default_kali_keys/ md5sum * b9419ea3a8fff086c258740e89ca86b8 ssh_host_dsa_key f9a5b57d7004e3740d07c5b037d15730 ssh_host_dsa_key.p...
Read more

Security Testing for entities hosted in cloud

For the applications that are getting migrated to cloud / planned to be hosted in the cloud will need additional security considerations. Failure to ensure proper security protection when using cloud services may potentially result in higher costs and loss to business. Organizations must consider security controls for different services viz. Infrastructures as a service(Iaas), Software as a service (SaaS) or Platform as a service. Which applications should be moved to cloud?     ·         Low to Medium Risk What are the key security risks while hosting in cloud?     ·         Isolation Failure – Multi tenancy is a key thing in cloud. Failure in controls that separate the storage, memory, identity and access control and routing between tenants is a huge risk.     ·         Authentication and Authorization     ·...
Read more

Keeping logs of your console commands during pentesting

Image
While it is very important to keep the screenshots and the results of your tools logged and recorded correctly, consistently and extensively, it is equally important to keep your console logs. This is very helpful when you are done with your penetration test and recall later during the results analysis / report writing that - what was the result of 'that' command I ran??? It is very commonly missed out by most pentesters - at least the beginners. While there are many ways in which you can do this: 1] copy paste the console logs and save it in your fav text editor 2] use a systematic approach I am sure method [1] is known to all :) Let's learn method [2] - Use script yes there is in inbuilt tool / script in linux that you can make use of: script usage: script filename.log This will start a process and it will keep logging the console output to this file. Once you are done just 'exit' Not to mention that care must be taken that you do not exit this process in between ...
Read more