Promoting yourself in a Highly Competitive Environment
by Juan Galiana Lara, Paul McCann & Martin Mitchell

Thursday 19th April 2012 .4pm DIT Bolton Street Room 281

When: Tuesday 27th, 6pm
Where: KA G 026 Ground floor Annex building, Kevin St

My name is Michael Loughran. I am a final year project student in DT228 and I will being a brief talk on some of the security issues I encountered over the development of my project. The projects goal was to create a space MMO game that could be played in a web browser. It was developed in PHP and used mysql for the database. In this talk we will cover

• sql injection
• cross site scripting
• input validation

We will show some sample applications that have been developed and show how each of these issues can affect them. This talk will demonstrate how to not only perform the above attacks but also how to secure web applications against them.

Have a look at http://147.252.127.43/collegedemo2 though, it’s an sql injection tutorial thing. Some parts don’t work (like most of level 4 and all of the “500″ challenges) as I wrote it up really roughly and in a hurry. When the assignments are over I might rewrite it.

In the mean time, good luck with assignments and keep an eye out for when we start back up events, possibly next week or the week after!

I’ve setup a script and some template configs/plugins for irssi, an irc client.

Log into our server, login.netsoc.dit.ie in the usual way, run byobu or screen so you don’t loose your connection when you logout and run “setupirc”. After this is complete, it will prompt you to run irssi.

The script sets irssi to auto connect to irc.netsoc.dit.ie and join #dit channel. Check out #intersocs (main channel where all the different society people are) as well by typing /join #intersocs

Why did it take us so long to connect?

Why didn’t we connected sooner? Well we tried, but there was a strange error

“Connect: Host irc.netsoc.tcd.ie not listed in ircd.conf”. Basically the issue was that the debian build of ircd-hybrid removes the ssl connectivity. That combined with the fact that unfortunately if ircd-hybrid never gave any errors about the ssl options. Simply put, if the ssl options were left in, it would just silently skip over the connect block and not show it even existed. Was just by chance that i commented out the rsa private file and crypto link and gave it a wack that I realised the problem went away.
Simple build instructions for debian. This doesn’t work with lenny due a bug in building with libssl. I’m sure you could change which library it compiles with to get it to work, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=482630

apt-get -y install libssl-dev fakeroot
apt-get -y build-dep ircd-hybrid

mkdir ircd-build
cd ircd-build
apt-get source ircd-hybrid
cd ircd-hybrid-7*
sed -i 's/NICKLEN = 15/NICKLEN = 9/g' debian/rules
USE_OPENSSL=1 fakeroot debian/rules binary
cd ..
dpkg -i ircd-hybrid*.deb

Here’s a quick write up on what the challenge was and how we cracked it. A big thank WIT Hacking society for putting on the conference and Seán Ó Briain (@SeanOBriain) for creating the challenge. It was a lot of fun.

Introduction

The story behind the challenge was that a bomb is ticking down and we have to crack through the challenges and disarm the bomb before it blew up (there was obviously no real bomb just to clarify). The challenge consisted of 3 parts where at the end of each one, you were able to enter your team name. Our team name was “Club Mate.” (not a well chosen name I admit, especially as I think the stuff takes like crap)

Cracking the challenge

Initially we were given 2 ip addresses and told which one to start with.

The first server was called WOPR (wargames reference – great movie) running ubuntu. We port scanned it and found a http and ssh server running.

The web server consisted of a range of games. Series of urls had urls with parameters included (such as ?game=bla). These urls were vulnerable to sql injection.

Using one of these injection points, we pulled out two interesting tables. A “users” table and an “ssh-users” table. The users table contained an md5 hash. We cracked it with john the ripper and used the login to enter our our team name into the website. (The md5 hash wasn’t salted so we could have just googled it however we hadn’t got internet hooked up at the time as there was no need. Using the wordlist from john the ripper, we cracked it in fairly little time)

The ssh-users table contained a login/password to allow us to ssh into the machine. There we found a mail log that contained a conversation. This contained login details for a website running on the second server.

The second server was running ubuntu and was named GIBSON (yes we did hack the gibson). It was also running an unknown service that when we telneted to it, we found a prompt asking us for a passphrase to disable the bomb. None of the credentails worked at this point so we moved on.

We got a .htaccess type password prompt which we used the credentials we gleaned from the mail file to login. The website had a file upload feature. We attempted to upload a php shell however there was content filtering. Using burp, we changed the type of the file to plain/text and uploaded one of our php shell scripts. This allowed us to run system commands similar to terminal access.

Once we had terminal access, we poked around the files to see what we could find and discovered one of the users in the /home directory had their directory as world readable. inside was an interesting file (i think the word “key” was in the filename) containing a random stream of characters. We submitted that key to the service prompting us for the bomb deactivation code however it was denied. We backtracked and tried various other usernames/passwords. Finally realised the string was all base64 characters, decoded it and entered the code to deactivate the bomb.

Was an enjoyable set of challenges and from what we heard aftewards, we weren’t alone in thinking that. Hope to head out next year for more challenges and again, thanks to wit hacking society and Seán Ó Briain for creating the challenge for us!

When: Thursday 15th, 6pm
Where: KA-1-16

This thursday, we will be hosting a mini wargame. I say mini because I didn’t have the time to touch it up to quite the level i’d like.

There will be some purposely vulnerable machines setup for everyone to try hack. This will be similar to the setups we have guided people through with the workshops/tutorials. Hope to see you all there!

Workshop:

You’ll need:
Linux/ubuntu live cd (recommended). We’ll push this out via torrents at the start of class
firefox (again, preferred but not required)
Burpsuite
john the ripper
wordlist (http://download.openwall.net/pub/passwords/wordlists/), we’ll pass this around via torrents as well as their mirror is quite slow.

Setup:
On your LAB PC:

First: Check if ubuntu iso is on the E:\ drive. If it is, you may skip the following.

==================================================================
Download: http://portableapps.com/apps/internet/utorrent_portable, Install to the E:\ drive.
Run utorrent portable.
Navigate to the server address ———–(I haven’t got the server online yet, please wait untill the workshop starts)
Download the torrents on the page using utorrent portable and save the data to the E:\ drive (NOT YOUR U:\ drive)
==================================================================
Once you’ve downloaded ubuntu, vmware as shown in this pdf – setupvmware.

You’ll probably need to change your dns servers you can do so by typing:

echo “nameserver 8.8.8.8″ | sudo tee /etc/resolv.conf

Then you’ll need to install libssl-dev , sudo apt-get install libssl-dev to have the proper libraries to compile john.
You’re now ready to start hacking at the first server. Setup burp suite and firefox as shown before and aim your browser at: http://147.252.234.230

You will need to crack some passwords at some stage in the challenge, this is how you compile john the ripper ( a password cracker)

Compile john
Google “john the ripper” and download the latest community-enhanced version. It’ll probably appear in /home/ubuntu/Downloads/. You’ll need to extract it, tar -zxvf the-file-name-here
cd into the directory it extracted and into src and type make to see all the options. You will most likely want to type
make linux-X86-any. Once this has completed, you’ll find the program in the run directory (cd ../run)

Mitigation:

I’ll update this post about how we can secure the holes for the different parts of the challenge that have been solved.

As per usual, this will be in KA-3-05 from 6pm.

We will be doing a system administration workshop this Monday for installing and configuring services on a linux server. This will be hands on using vmware player on the lab machines.

We will be covering the basics such as

• Installing daemons/services
• configuring services
• adding users
• Analysing logfiles
• configuring network settings
• Setting up firewalls

Workshop notes, please download a torrent program such as utorrent portable.

Navigate to http://147.252.234.51 and download “ubuntu-11.10-desktop ” etc torrent and open it and start downloading

Once you have the iso downloaded, please read this file on how to set up vmware with the image setupvmware

To clarify for anyone who’s not using vmware, the setup should be a “bridge network connection” and we will be running a live cd not installing it

Once vmware and ubuntu is setup, please boot up and select “TRY UBUNTU”

Update: Great turn out, hope everyone found this as enjoyable as I did. Here are some photos of the event

DATE: 30th March at 17:00

Dear all,

We have the great pleasure to invite you to the upcoming OWASP Dublin event next Friday 30th March at 17:00 (registration opens at 16:30) in Google Ireland Engineering offices at One Grand Canal Plaza Building (located on Grand Canal Street Upper, beside the junction of Warrington Place and Barrow Street).

You could find a placemark for the building on this map : http://goo.gl/ZGASA

This event is free and open to EVERYONE but registration is mandatory. In this occasion, we have two great speakers from the UK coming only to deliver these talks.

Workshop #1 Details – Application Hacking: Beyond the OWASP Top 10

Whilst many guides, tools and methodologies stress the importance and expand the ubiquity of the OWASP Top 10, many of the more interesting vulnerabilities are those which are not. In this talk, MDSec present some results from our assessments which defy even the broad classification of the OWASP Top 10.

Guest Speaker: Marcus Pinto
Twitter: @mdseclabs

With nine years’ experience, Marcus Pinto is an industry thought leader in Information Security, having authored the Web Application Hacker’s Handbook Series, and delivered numerous private training courses, conference training, seminars and awareness days on technical subjects worldwide. Marcus has managed end-user security, consultancy and internal penetration testing teams for government and financial sector organisations.

Workshop #2 Details: iOS Application (In)Security

The mobile application market has exploded in the last few years. With Apple holding a majority market share in the consumer market and a growing foothold in the enterprise, iOS application security has never been so important. In this talk, MDSec will present some of the lessons learned from evaluating iOS applications covering the platform security features, blackbox app assessment and the security relevant APIs.

Guest Speaker: Dominic Chell
Twitter: @deadbeefuk

Dominic is a director of MDSec, a UK based security consultancy specialising in a range of technical security assessment services including Mobile security. As a researcher, Dominic has been publicly acknowledged by numerous vendors, including Apple, for vulnerability disclosure.

Registration: http://www.regonline.com/beyondtop10

Any questions, please let me know.

Thanks,
Fabio

_______________________________________________
Owasp-ireland mailing list
Owasp-ireland@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-ireland

When: Monday- 5th March 6pm
Where: KA-305 in Kevin st Annex building

Here’s what he has to say about the workshop

Problem: Even with 100Mb connections, downloading from one location (Be it the internet or the M drive etc), would saturate the downlink with 30/40 labs (ontop of everyone elses traffic). Usbs are slow and even sharing between lab pcs would be hectic.

Solution: I remember twitter using bittorrent for server deployment. (http://torrentfreak.com/twitter-uses-bittorrent-for-server-deployment-100210/). So this evening, when the labs emptied out for this weekend, I setup a torrent tracker – RivetTracker  -http://sourceforge.net/projects/rivettracker/, which was quite easy. All you need is a mysql username + password and some php server space. It has a similar setup to wordpress the first time. You’re given a username + password you can use to upload new torrents to it.

I was expecting it to be more difficult than it turned out to be but we just grabbed some torrent clients, logged onto all the lab PCs, set them all up to download the torrent. Was quite cool watching all the lab pcs max out upload/download speeds. We didn’t time the process unfortunately but it was quite fast.

Funny enough, this process turned out to be faster than transferring the collection to usb and transfering across to a shared smb drive. So one of the labs now has a nice collection of 10 gigs of security research tools on the E: drive (tempdata) although this is liable to be wiped after a certain period of time. Fred Mtenzi (security lecturer) has kindly given permission for this collection to be stored on the M drive under “netsoc” directory so even if this collection is lost, you can download it again from here without hunting around too much.

Final Notes: This isn’t of the usual importance that usually makes it to a website post however I did think it worked REALLY smoothly and worked surprisingly well. While the implementation is trivial and nothing new, It would be well worth a look for deploying tools in the lab. After I had it all done, I considered that a multicast solution might have worked better since they were all on the local network. Ah well, always next time!

Update: People were asking me to upload a screenshot of my setup.  Unfortunately I don’t have a screenshot of when all the clients were connected, but this is the aftermath. An announcement recent about rivettracker highlights a LOT of security vulnerabilities. Specificly, sql injection. The code looks horrific and the latest version off sourceforge is still vulnerable. A bit of google-fu also shows there’s a lot of servers out there running this… dangerous. This seems like a semi-easy target we may try exploit in a workshop. Here’s the report here http://packetstormsecurity.org/files/110416/rivettracker-sql.txt

Also quick note, we have patched the version we use in the labs each week however you’re welcome to verify it yourself!

When: 6PM Tuesday 28th February
Where: KA G 026

Topics will include but are not limited to

• Installing packages/services
• How to configure services
• Networking
• Firewalls with iptables
• Locking down the system
• Libraries + development headers and compiling services from source

When: 6-8pm Monday 27th February
Where: KA-3-05

We will be doing a source control workshop and talk tomorrow. Covering a basic overview of how it works, and and why you should use it. We will then use git and git hub to show you how you can use it.

Versioning software is used to take snapshots of your code and collaborately integrate different snapshots that different people have worked on into one project. We highly recommend coming along if you’ll be doing programming at some stage and even if you’re not. We’ll be using git in future workshops/events so if you’re planning on coming to later workshops,

Update:
Video of the workshop

https://docs.google.com/a/socs.dit.ie/spreadsheet/viewform?formkey=dGI2SUxsbWFDM1p4a29YVDFIVWlVbmc6MQ

We’re doing a launch party on Monday 13th at 6pm in KA-1-17. You’ll need a full copy of minecraft for this event which you can get here http://www.minecraft.net/store . Declan, a member of the committee, has written a lua wrapper script to extend the interaction between the server which we will be publishing to github soon. We hope to advance the scripting behind the server a lot more in the time to come.

If you keep an eye out, you may just see some creepers walking around DIT today. Here’s some pictures of a few creations from our server so far.

Update:

Thanks to all who showed up, had some great craic and I even hear some the creeper came to life at some stage in the snackery and scared the living crap out of some people. To whoever it was, would be interested in hearing how many people you got to scare

Project Night

We’ll be hosting a project night on Thursday from 6-8 in KA-1-16. This Thursday the 16th Feburary, we’ll be giving the” webtimetables plus” project a crack. See http://www.netsoc.dit.ie/2012/01/webtimetables-plus-project-proposal/ for more details. This will be a group orientated meetups rather than the usual lecture/workshop style so expect more of an even contribution level from everyone rather than one of us standing up and teaching everyone.