Security Testing for entities hosted in cloud

For the applications that are getting migrated to cloud / planned to be hosted in the cloud will need additional security considerations. Failure to ensure proper security protection when using cloud services may potentially result in higher costs and loss to business. Organizations must consider security controls for different services viz. Infrastructures as a service(Iaas), Software as a service (SaaS) or Platform as a service. Which applications should be moved to cloud?     ·         Low to Medium Risk What are the key security risks while hosting in cloud?     ·         Isolation Failure – Multi tenancy is a key thing in cloud. Failure in controls that separate the storage, memory, identity and access control and routing between tenants is a huge risk.     ·         Authentication and Authorization     ·...
Post a Comment

The Sticky Keys Hack

My Windows 7 Laptop is safe and Patched – Instant Hack

Post my last demo on Win XP The company had decided to move on to Windows 7. Few users were migrated as part of pilot program and I was still hanging around.
My friend asked me is Win 7 secure? I replied back Natively NO. As you know, you need to build controls in and around a system to make it secure. MS has done some job to introduce security features in win 7 but then its not full proof.
With the required permissions in place, I headed for a quick demo again.

Boot to Root
I was provided with a Brand New Windows 7 Laptop – freshly built.
This is a well known Hack with the sticky Keys. Well I am sure everyone has heard of “Sticky Keys” if not feature wise but accidently everyone of us have pressed the Shift Key more than 5 times and that Annoying pop-up comes up for sticky keys.
Sticky Keys is a Windows Ease of Access feature that makes it possible to use keyboard shortcuts or type capital letters without needing to press more than one key at once. 
I am not sure how many people uses this feature. And why this is still On.

One can easily Hack into the system using this technique and gain full access.
The vulnerability lies in the fact that Sticky Keys can be launched from the Login screen itself – without authentication and the .exe used for this viz. sethc.exe is checked by windows digitally. What that means is if somehow if we rename any other executable to sethc.exe windows will still consider it as sethc.
If you have physical access to the box and can boot to repair disk or linux distro and can change files.

make a copy somewhere of the original file on system sethc.exe
copy c:\windows\system32\sethc.exe c:\
cp /mnt/sda3/Windows/System32/sethc.exe /mnt/sda3/sethc.exe
copy cmd.exe into sethc.exe’s place
copy /y c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe
or
cp /mnt/sda3/Windows/System32/cmd.exe /mnt/sda3/Windows/System32/sethc.exe

Reboot, hit Shift key 5 times, SYSTEM shell will pop up. Now you have complete control over the system. You can add users and add them to Administrators group.

You can also achieve same results by setting executable of your choice as Debugger to sethc.exe under Image File Execution options in registry. So in a priv command shell, it would be

REG ADD “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe” /v Debugger /t REG_SZ /d “C:\windows\system32\cmd.exe”

Same goes for Utilman.exe

Countermeasures:
1. Disable Sticky Keys.
2. Use your BIOS/UEFI settings to prevent booting from removable media, or require a password to boot from external media. The procedure for this varies from motherboard to motherboard.
Use some sort of disk encryption Bit locker or SafeGuard.
Please do not use Truecrypt – I am sure you know about the truecrypt hack. I will try to post about it sometime later when i get time. Cannot say when.
Using disk encryption anyways prevent the cold boot attacks on your system.

Comments

Post a Comment

Popular posts from this blog

Change the default SSH keys in Kali Linux ......One important step post installation

All of know that we can authenticate to a box without password if you have the SSH keys. The Kali images have known ssh keys and must be changed.  Here is how you can do this:  Move the default Kali ssh keys to a new folder: cd /etc/ssh/ mkdir default_kali_keys mv ssh_host_* default_kali_keys/ This will move your default keys to the new folder... Regenerate the keys: dpkg-reconfigure openssh-server Creating SSH2 RSA key; this may take some time ... Creating SSH2 DSA key; this may take some time ... Creating SSH2 ECDSA key; this may take some time ... insserv: warning: current start runlevel(s) (empty) of script `ssh' overrides LSB defaults (2 3 4 5). insserv: warning: current stop runlevel(s) (2 3 4 5) of script `ssh' overrides LSB defaults (empty). Verify ssh key hashes are different: md5sum ssh_host_* Compare new key hashes to the hashes below) cd default_kali_keys/ md5sum * b9419ea3a8fff086c258740e89ca86b8 ssh_host_dsa_key f9a5b57d7004e3740d07c5b037d15730 ssh_host_dsa_key.p...
Read more

Security Testing for entities hosted in cloud

For the applications that are getting migrated to cloud / planned to be hosted in the cloud will need additional security considerations. Failure to ensure proper security protection when using cloud services may potentially result in higher costs and loss to business. Organizations must consider security controls for different services viz. Infrastructures as a service(Iaas), Software as a service (SaaS) or Platform as a service. Which applications should be moved to cloud?     ·         Low to Medium Risk What are the key security risks while hosting in cloud?     ·         Isolation Failure – Multi tenancy is a key thing in cloud. Failure in controls that separate the storage, memory, identity and access control and routing between tenants is a huge risk.     ·         Authentication and Authorization     ·...
Read more

Keeping logs of your console commands during pentesting

Image
While it is very important to keep the screenshots and the results of your tools logged and recorded correctly, consistently and extensively, it is equally important to keep your console logs. This is very helpful when you are done with your penetration test and recall later during the results analysis / report writing that - what was the result of 'that' command I ran??? It is very commonly missed out by most pentesters - at least the beginners. While there are many ways in which you can do this: 1] copy paste the console logs and save it in your fav text editor 2] use a systematic approach I am sure method [1] is known to all :) Let's learn method [2] - Use script yes there is in inbuilt tool / script in linux that you can make use of: script usage: script filename.log This will start a process and it will keep logging the console output to this file. Once you are done just 'exit' Not to mention that care must be taken that you do not exit this process in between ...
Read more