Rant from The Past & the Present Updates – 2019

2016

2017

2018

2019 ..

Alright, back to the desk again from the past.

I had been busy a quite sometime now & had to make various research available for references. I had pulled up https://pwntoken.github.io for this very reason & however it now seems tremendous efforts to maintain the platform (Octopress) as most of the developers have left support.

Having pointed that out – I’ve decided to migrate all my research posts along with trying to fix the images where required to wordpress platform & continue maintaining this space. It’s been a jerky ride & all the posts from the past had been recorded solely for own tracking & references – however this could be useful to rest of the content assessors.

It’s 2019! A whole-lot has been at desk to record & put across the table. The blog shall no more contain any references to personal academic records – However I plan to record security research content along with migration which should be possible after alot of efforts invested with fixing missing images, hyperlinks, etc.  Year 2019 & prior where I left over had seen more of security landscape changes, shift-left approaches & a ton of interesting security techniques to cover including & not limited to:

1. Agile Based Application Security
2. IoT Security being pushed to the Edge
3. Salesforce Penetration Testing
4. Sharepoint Security Testing
5. IPTV Security Assessments
6. New Security Attack vectors

Since, security in itself has a wide coverage & has various inter-related domains – I shall be able to retain Application Security content as of present while I work on the rest & phase them out for releases.

Other transforms:

1. A new visibility – I intend to make the blog easier for reference purposes with few glitches to be fixed.
2. Optimized experience for commentators & response time to questions-asked.
3. Probably I shall also try including polls to certain posts which requires opinions.
4. Active blogging on security research content & day-to-day (or weekly) on new learning front.

I look forward to yet continue with the content as I intend to track all my records & that should entirely be point of the blog.

Readers are welcome to use the content with prior consent & due-credits where required.

- Shritam Bhowmick
Application Security Research (http://www.pwntoken.github.io/)
                              (http://www.pwntoken.wordpress.com/)

All that you need to know About NSA’s Equation Group!

First Hand Details: TEG (The Equation Group) is NSA’s team of hackers who’d write code to exploit systems worldwide. Some of the private files were recently dropped by a group called Shadow Brokers & they’ve auctioned it in exchange for BTC bids .. I could trail back to the below mentioned keys which were earlier released previous week by Snowden (if anyhow it’s linked {it’s just sitting here for references}):

Probable Agenda: As taken inputs from different sources to explain & focus the agenda – there are different versions of the primary agenda as below:

http://www.businessinsider.in/A-shadowy-group-claims-to-have-hacked-an-elite-hacking-group-linked-to-the-NSA/articleshow/53712768.cms

Sources:

1. Wikileaks Intention to release the same files
2. RT’s version of Cyber Weapon Disclosures
3. Sputnik’s version of Malware Scandal by NSA
4. Analysis suggests revisions of malware & resemblance to older versions

Official Sources Timeline:

5. The first official after Wikileaks probability of intent to disclose the same set of files, Edward Snowden comes up with a teensy bit of a diplomatic pressure statement.

Some Analysis of the released files Reported:

1. Analysis by Risk Based Security over The Equation’s Group Files
2. Analysis by Matt Suiche, MVP – Microsoft via Medium

Solved Proof Of Concept & it’s Working State:

3. XORCat’s EXBE (ExtraBacon) POC from TEG file: The exploits appear to be targeting firewalls, particularly Cisco PIX/ASA, Juniper Netscreen, Fortigate, and more as per analyst.

Questions: The Equation Group were hacked (NSA) & it’s a wonder if they aren’t backdoor!? Of-course we go through the code .. but could anyone let us know if these files are genuine?

Also, what’s the use of the files, what they specifically target? These files landed originally at:

https://theshadowbrokers.tumblr.com

Now they are gone, the links they’ve provided are gone (except one which’s here) & the original copies might have been already backdoored (later ones which might pop up). I read it’s related to Stuxnet (or more powerful, I know that Stuxnet targeted Nuclear Facilities) but now that they are gone .. can anyone let know the real intent of the files & the groups they’ve mentioned as inline:

What does each of the section specifically does? All inputs are appreciated & links to this one to be updated one by one as the reason becomes clear.

Do you have more questions, add them down to the comment section below. I’d try to link them up & compile the same to match throughout a pattern.

Thanks.

Protected: Real World Penetration Testing: A gh0st from Offensive Security

This content is password protected. To view it please enter your password below:

Password:

Breaking the Application with Shritam Bhowmick – Application Bruteforce Demystified.

Web Form Brute Force Methods

Demonstration by Shritam Bhowmick
Web Application Penetration Tester
Independent Consulting Security Evangelist

Abstract

This is web application penetration testing challenges hosted over pentesteracademylab.appspot.com, it reflects several challenges for web application security researchers to break in a safe environment. This is for Lab practice only and no part of this document were provided by the original authors. Having to pull out my old research on application security, I thought to give back to the community but not all releases are meant to be pushed here. This research is part of my private application security research and proudly serves as an opening opportunities for others to dwell and work further on the same as provided and as long as the original authors are credited.

Contents

Hack.
Method 1: Using Hydra to Brute Force Web Logins
Method 2: Using Burp Suite Intruder to Brute Force Web Logins
Method 3: Using Python to break Web-Form Login
Method 4: Using WebSlayer to Brute Force Web Logins
Method 5: Nmap Script Code to break web form
Contact Information.

Continue reading →

Shritam Bhowmick Explains Shell Injection v/s Remote Code Execution v/s Code Injection – Yes, they are Different!

Shell Injection v/s Remote Code Execution v/s Code Injection

By Shritam Bhowmick
Web Application Penetration Tester
LinkedIn: https://www.linkedin.com/profile/view?id=281014248&trk=nav_responsive_tab_profile
Academia: https://independent.academia.edu/ShritamBhowmick
Facebook: https://www.facebook.com/coded32

The Bare Beginning

I promised to deliver yet another quality content on my blog and as promised after this particular post, my true intentions were to go ahead with posting something deep on HTTP Parameter Pollution. Looking at the awareness level (read the comments for a deep approach insight on application security!) of incoming proclaimed security researchers or bug hunters, I recently decided to make my point across and let the info-sec community know the real concepts behind Application Injection vulnerabilities. This post is focused to switch off the ego gap and provide a platform for others to realize core concepts and the necessity of such concepts to be applicable to adaptive application penetration testing!

I quickly realized the core necessity of a distinguished vulnerability levels according to their categorization and be real technical about the application security issue, most focused primarily on this post on Injection level web vulnerabilities which are very common if dug enough into. On a recent conversation with many of ‘elite’ bug hunters, I noticed, there is a huge gap on the technical consciousness level they possess and likely end up only getting T-shirts for the sake of name on Hall of fame (No pun intended!). Money would encircle you girls, knowledge will encircle you girls, cars, super-bikes and alike!

Continue reading →

Shritam Bhowmick Explains HTTP Parameter Contamination

HTTP Parameter Contamination

By Shritam Bhowmick
Web Application Penetration Tester
LinkedIn: https://www.linkedin.com/profile/view?id=281014248&trk=nav_responsive_tab_profile
Academia: https://independent.academia.edu/ShritamBhowmick
Facebook: https://www.facebook.com/coded32

Earlier on my previous post about Enterprise HTTP Security, I described how HTTP Security is a fine clockwork for an application penetration tester; this post would look into deeper aspect of HTTP Security and how logical manipulation of HTTP could be potentially used by an attacker to manifest the underlying application level vulnerabilities bypassing any security restrictions which were in place originally.

In terms of application development during the standard phases, multi-tier application architecture is prevalent. The multi-tier architecture is a client-server architecture, where the presentation, the application processing and the data management is a complete separate processes. In basic terms, the multi-tier architecture are convenient for developers. The reason they are convenient for developers is the fact that developers have to re-use code and develop applications in which the whole application framework needn’t have to be written all over again. They could only modify parts of the application architecture based on tiers and profit flexibility in the use of such applications. The unfortunate part is the handling of the same data over multiple platform can lead to security breach, or leave the application vulnerable. Logical errors are triggered this way and are completely different from Injection based attacks such as:

• LDAP/Blind LDAP Injections
• XML Injection
• HTML Injection
• SQL Injection
• ORM based Injection
• Spring Injection/nHibernate Injection
• Xpath Injection
• Command Injection

All of the above mentioned ‘injection’ variants fall into code level application vulnerabilities and is completely different from ‘logical’ vulnerabilities which still have a greater level of impact on the web applications. During my old research at early phases of dissection behavioral pattern of different platform based application on different web-architectures, I found these led to couple of logical based vulnerabilities which could be used by an attacker for benefits. This lead self-curiosity to further research and I came up concluding something which already existed called ‘HTTP Parameter Contamination or HPC’. During my research at Defencely, I found out this particular attack methodology does not only rely on a specific platform but is widely used across many other different web based platforms, such as PHP on Apache, ASP.NET on IIS, etc.

Continue reading →

Enterprise HTTP Security Inspection for Realistic Application Security

The need for HTTP Security Inspection on Application Security

By Shritam Bhowmick
Web Application Penetration Tester
LinkedIn: https://www.linkedin.com/profile/view?id=281014248&trk=nav_responsive_tab_profile
Academia: https://independent.academia.edu/ShritamBhowmick
Facebook: https://www.facebook.com/coded32

Application Layer – HTTP from the Security Perspective

An Application Layer is the first layer which need a security check which just goes beyond any other common checks. Somehow, automated scanners might do this as pre-defined in the programmed logic, but most of them fail to find the bugs which passes through the HTTP Handler and hence create critical vulnerabilities for business enterprise. Yes, I had been talking about Hyper Text Transfer Layer Protocol, which is by now the most common, wildly wide used text based protocol around the internet. Web Applications use the text based protocol since it’s easier to implement and handle parallel requests. The Web Server handles these requests which are made by the clients and penetration testers often ignore a variety of checks against HTTP from the security perspective. Once, an application penetration is fairly grown studying HTTP at a deep level, he/she could already understand why a particular request could be manipulated by client side proxy in multiple of ways and produce a critical security bypass.

Before I jump into concluding the security aspects of the Hyper Text Transfer Protocol, my application security research have shown a comprehensive study of where to start from HTTP from the security standpoint. This question has been asked a lot of times and people have failed to come up with an exact method to detail everything in one book or post. This study is more of a guideline for application penetration testers rather than a reference study; but either way it could be used both the ways. I had prepared a standard draft for HTTP Security Research in topic segments which if wished could be sub-categorized but for the sake of the reference and a guide, I have detailed them into modular topics which could be used by any application security researcher, bug hunter, or application security enthusiast for their own analysis.

Continue reading →

Fine Tuning Adaptive Network Penetration Test – External, Internal and Wireless

Fine Tuning Automation for Network Penetration Test

By Shritam Bhowmick
Web Application Penetration Tester
LinkedIn: https://www.linkedin.com/profile/view?id=281014248&trk=nav_responsive_tab_profile
Academia: https://independent.academia.edu/ShritamBhowmick
Facebook: https://www.facebook.com/coded32

Network Penetration Testing

A lot has been discussed earlier related to network penetration test in forums, IRC’s and security conferences but everyone looked for some automated approach to keep network penetration test related task going fast. The fast approach is desired for mass IP scans and lot of IP ranges which have to be tested in a short time. Most of these network nodes have services open which could be further investigated if these services were well known to be exploited in the wild.

There are various Network Penetration testing which could be referenced below:

1. External Network Penetration Testing
2. Internal Network Penetration Testing
3. Wireless Network Penetration Testing

Now as most of you had already assumed, there could be automated approach to all of them; this however seems easy but is harder if taken from a wide security view-point. The art of choosing a set tools at your disposal for Network Security Audit lies beyond the scope defined since lot of these tools send malicious packets which could deliver stress to the web-server or critical production server costing the clients financially off their services. As a penetration tester I have learned this art from my own lesson and experiences and this would be my own personal methodology for a Network penetration test. Some of the questions which should be asked before-hand to the client before beginning with an engagement would be the major feedback on how one should be preparing for the penetration test.

Continue reading →

Adaptive Application Framework Driven Vulnerabilities and the Padding Oracle

Securing Web Applications before Deployment.

An analysis focused on various framework used to deploy web applications.

By Shritam Bhowmick
Web Application Penetration Tester
LinkedIn: https://www.linkedin.com/profile/view?id=281014248&trk=nav_responsive_tab_profile
Academia: https://independent.academia.edu/ShritamBhowmick
Facebook: https://www.facebook.com/coded32

Abstract

Dedicated vulnerability and bug researchers go deep into the application security aspects while studying application internals and there is a prominent rise in hidden attack vectors which are never common. There is a default common misconception among the developers that deploying applications which are vendor-enabled with 3^rd party proprietary framework libraries will add security to the application. Libraries which the developers rely on are themselves vulnerable if properly dissected and studied. This brings business concerns to the business assets. The business assets could be anything from bank details to storing credit card information for customers to easily access such numbers for the ease of the customers. Although data integrity is maintained when storing and is encrypted, it takes a while for an attacker to get in and get out without being really noticed. Contrary to the statements above, there is yet another belief that Open source libraries will be safer since they go revisions by the mass community but the truth is bitter. Again, deep down in the open-source libraries, there exist multiple critical vulnerabilities which needs to be addressed before deploying them as they are. The information given below will detail the vulnerabilities which are deep inside the libraries which are used to deploy rich internet based applications.

What Developers see as a convenient way for deploying a web application?

• Languages used: PHP, JAVA, Ruby, SCALA, Perl, Python, HASKELL, Cold Fusion and more.
• Framework Used:NET, Zend, CodeIgniter, Spring, Catalyst, Snap, CakePHP, Yii, Fusebox, and more. Even more popular ones are Django, Sinatra, Mason, Pyjamas, Symfony and Grails.

Continue reading →

Web Security Threat Prediction

By Shritam Bhowmick
Web Application Penetration Tester
LinkedIn: https://www.linkedin.com/profile/view?id=281014248&trk=nav_responsive_tab_profile
Academia: https://independent.academia.edu/ShritamBhowmick
Facebook: https://www.facebook.com/coded32

Abstract

The Web Security scene has been much complex than ever known and its time various industry take a deeper look to it to gain an in-depth gravity of the situation which affects them directly or in-directly. This could come at a blow and wouldn’t let you know until it’s too late. This post will take you mind blown from the recent predictions in terms of Web Security and will let you inform on the latest web attacks in rise and how such attacks are bad for business as well as reputation let alone financial losses. When we talk about industry, this doesn’t have to be the retail industry; it aims at stretch from the medical appliances to the car manufacturing industry and too low down to the Electronic Cigarette industry. That been said, we will look how various industrial assets which have had their presence and continue to have a presence in the web world affects them directly or indirectly and why Web Security for them is an absolute important factor too big a risk to ignore and compromise with the same.

Prediction 2015

I have come across and defined a statistical background check on as many application attack vectors and evidently from the statistical approach have come up to a very conclusive set of industries which could go bankruptcy as well as reputation loss if Web Security part is ignored. Here we have thrown out some of the industries which have a direct impact on business ignoring Web Security at their end.

• Medical Department
• Web Retail Department and Business Assets
• Opensource Platforms
• Mobile Devices

Continue reading →