Friday, May 25, 2012

How did they find me?

I wanted to learn more about E-commerce and the type of breaches that take place so I volunteered to take the bulk of the E-comm cases for my team.  Over the last 18 months I went from zero to "go-to guy" and I learned a lot. Now it's time to share.

From what I've seen; there are 3 main phases to a successful website breach:

1. Reconnaissance - An attacker singles out your site and begins to hammer away with port scans, nessus plugins, automated SQL injection attacks, etc.

2. Infiltration- This is the actual attack. They exploit a vulnerability to upload code, bypass credentials, or brute force their way in to an admin console or SSH, etc.

3. Exfiltration- Attackers access your data and take what they want. In my line of work I see a lot of financial data gathered and stolen, but I have also worked defacement's,  theft of Personally Identifiable Information (PII) and breaches of copyrighted information.

I'm going to tackle these 3 points 1 blog post at a time. The first one on reconnaissance is below.


There are more free utilities to scan for vulnerabilities available now than ever before. Try a Google search for "web vulnerability scanner" and look at the results. These are all "canned" scanners that search for pretty basic stuff. Surprisingly, I see even these basic scans work and identify serious vulnerabilities. Case in point, I worked a case earlier this year where the free version of the Accunetix scanner successfully enumerated the password hashes in /etc/password.

Nice huh? "cat etc passwd" fed to a vulnerable php file resulting in an HTTP 200 "OK"
--If only they had SSH open as well, oh wait. Yah, they got pwned.

Even scarier, try a recursive wget against a website and see what you can pull down, you might be amazed. I've seen the "includes" directory of a website (complete with database user names and passwords embedded) available for public download.

Everybody knows about NMAP at this point right?

These open ports don't seem like that big a deal at first glance right? IMAP, POP3, SMTP?
What if I told you this was a front-end web server for a MAJOR entertainment website that has nothing to do with email ?
What about mysql?
Should you willingly expose your database to brute force?

The Nessus suite has lot of plugins focused on web attacks, there are useful spiders out there like  Burp, Paros and Grendel. Havij and SQLMAP are easy to use and sites can be fingerprinted by tools like FOCA.  Pen-testers and attackers alike use Maltego for recon among other things. (I'm told this is like lighting a fire with an atomic bomb)

My point here is that this stuff is available to everyone. Attackers are using it and you should too.

If you don't have the skills or the time, hire somebody to do it for you. *koff* Spiderlabs*koff*

Or don't, I need the work. :)


1 comment: