Windows Vulnerability Assessment

Windows Vulnerability Assessment

Nowadays every enterprise, be it small or large, depends on information technology (IT) for some or most of its operations, and with IT; comes information security. Most of the small and medium scale enterprises (SMEs) and sometimes large enterprises are unaware of the issue of information security and hence often ignore it. The budget (if) allocated for the purpose of implementing cyber security is usually too scarce to get a thorough penetration test and/or security compliance done. This negligence often leads to a security breach and ultimately costs more in the form of data loss and incident handling costs. It is always better to follow a proactive strategy than a reactive one in the field of cyber security.

In this article we are going to discuss the Windows vulnerability assessment utilizing some free and easy to use tools. The tools have been chosen intentionally that anyone with basic technical understanding can use them, so that the Administrator of even a small enterprise can utilize them to generate results and take appropriate action.

Before discussing vulnerability assessment and the tools in detail, here are few terminologies that need to be discussed:

• Vulnerability: Vulnerability can be understood as a weakness or flaw in the application which allows an attacker to cause undesirable operations or gain unauthorized access. Presence of vulnerability poses a threat to the user of the application as it might lead to data compromise. Example: Buffer Overflow
• Threat: An event or action that might prejudice security. A threat can also be described as a potential violation of security. Example: A Virus
• Attack: Any action that attempts to violate the security of a system. Example: Brute Force
• Exploit: A command sequence or data chunk whose aim is to take advantage of a flaw or vulnerability in an application. Example: MS 12-020 RDP exploit

Now we understand the basics, so let’s move forward. Vulnerability assessment in terms of cyber security can be understood as the process of Identifying, Enumerating and Ranking the vulnerabilities present in a system or network in order to patch them. It is concerned with the security of the resource and its environment and is a proactive approach.

Typical assessment steps:

• Classifying system resources
• Allocating enumerable value to the classified resources
• Detecting possible threats (vulnerabilities) to each resource.
• Eliminating the vulnerabilities on priority basis.

Often people, even in IT industry, confuse vulnerability assessment with penetration testing. Here are the differences between the two:

Vulnerability Assessment Penetration Testing

• Aim is to find out all potential vulnerabilities. Aim is to identify and exploit the vulnerabilities.
• It provides an overview of the existing flaws. It demonstrates the impact of the flaw.
• Might present false positives regarding the Exploiting the vulnerabilities removes the vulnerabilities. It does not validate them. chance of a false positive.

It is difficult to check if the security measures Simulating the attack determines if the security measures (IPS, IDS, firewall etc.) can be bypassed or not.

Windows operating systems are some of the most used as well as exploited OS around the world. The ease of deployment and usage has not only made them popular among the common people but also a soft target for the attackers. Here we are going to discuss some tools which can be utilized to easily perform Windows vulnerability assessment so that the flaws are identified at the right time by the right people to avoid security breaches.

Open Vulnerability Assessment System: Initially named as GNessUs, OpenVAS is a powerful vulnerability scanning and management framework. It was forked from the popular vulnerability scanner Nessus after it went proprietary in 2005 (initially it was free and open source).

OpenVAS is based on client-server architecture over SSL. The architecture is explained below (source: http://www.openvas.org/software.html):

• OpenVAS Scanner: At the core of the architecture is the OpenVAS scanner which executes the Network Vulnerability Tests (NVTs). The NVTs are regularly updated with the NVT feed.
• OpenVAS Manager: It provides the service of combining the vulnerability scanning with vulnerability management. The manager makes it possible to implement various clients for consistent behavior. It also controls a SQL database for central storage.
• Greenbone Security Assistant: GSA provides a browser based interface for the application.
• Greenbone Security Desktop: GSD provides a desktop client.
• OpenVAS CLI: A simple command line interface.
• OpenVAS Administrator: It is a full service daemon whose task is user and feed management.

The protocols implemented in OpenVAS are:

• OpenVAS Transfer Protocol (OTP)
• OpenVAS Management Protocol (OMP)
• OpenVAS Admininstrative Protocol (OAP)

Feature overview of OpenVAS:

OpenVAS Scanner

• Many target hosts are scanned concurrently
• OpenVAS Transfer Protocol (OTP)
• SSL support for OTP (always)
• WMI support (optional)

OpenVAS Manager

• OpenVAS Management Protocol (OMP)
• SQL Database (SQLite) for configurations and scan results
• SSL support for OMP (always)
• Many concurrent scans tasks (many OpenVAS Scanners)
• Notes management for scan results
• False Positive management for scan results
• Scheduled scans
• Flexible escalators upon status of a scan task
• Stop, Pause and Resume of scan tasks
• Master-Slave Mode to control many instances from a central one
• Reports Format Plugin Framework with various plugins for: XML, HTML, LateX, etc.

OpenVAS Administrator

• OpenVAS Administration Protocol (OAP)
• SSL support for OAP (always)
• All OAP commands also as command line parameters
• User Management
• Feed status view
• Feed synchronization

Greenbone Security Assistant (GSA)

• Client for OMP and OAP
• HTTP and HTTPS
• Web server on its own (micro-httpd), thus no extra web server required
• Integrated online-help system

Greenbone Security Desktop (GSD)

• Client for OMP
• Qt-based
• Runs on Windows, Linux, etc.
• Support of Internationalization (English, German, French…)

OpenVAS CLI

• Client for OMP
• Runs on Windows, Linux, etc.

OpenVAS comes pre-installed on the Backtrack 5 under:

Backtrack > Vulnerability Assessment > Vulnerability Scanners.

Steps to setup OpenVAS in Backtrack 5

OpenVAS provides a utility to check the setup of the application, it can be fired up using the following command under the directory “/pentest/misc/openvas”

# ./openvas-check-setup

This command checks and provides advisories on the issues related to the setup.

Add a user to the OpenVAS using the option OpenVAS Adduser. Output is displayed in figure 1.

Figure1. Adding a user to OpenVAS

Create the certificate using the option OpenVAS Mkcert Certificate creation is demonstrated in figure 2.

Figure 2. Certificate created

Synchronize the NVTs using the option OpenVAS NVT sync. NVT sync. process is shown in figure 3.

Figure 3. NVT sync.

Start the scanner through option Start OpenVAS Scanner. The output of the function and the following steps are shown in figure 4.

Create the client cert using the command:

# openvas-mkcert-client –n om –i

Rebuild the database by running the command:

# openvasmd –rebuild

Create an administrative user using the command:

# openvasd –c ‘add_user’ –n AdminNameHere –r Admin
Start OpenVas Manager
# openvasmd –p 9390 –a 127.0.0.1
Start OpenVAS Administrator
# openvasad –p 9393 –a 127.0.0.1

Figure 4. OpenVAS Setup

Start Greenbone Security Assistant

# gsad –http-only –listen=127.0.0.1 –p 9392

Access the Greenbone Security Assistant interface to start the assessment using a web browser with address 127.0.0.1:9390. Figure 5 shows the GSA interface.

Figure 5. GSA interface

Microsoft Baseline Security Analyzer: MBSA is a software tool provided by Microsoft to assess the security state of a Windows machine. MBSA looks for missing security patches and security misconfigurations to find out the basic security issues the machine might be facing. MBSA not only looks out for OS based issues but also for some the widely deployed Microsoft services and applications such as Windows IIS, SQL server, Internet Explorer (IE), MS office. Figure 6 shows the MBSA interface.

Figure 6. MBSA interface

MBSA provides two interfaces to use the application, the graphical interface can be accessed by the Mbsa.exe and the command line interface can be accessed through the Mbsacli.exe. Although both the interfaces perform the same function, the command line interface provides some advanced technical options for better administration. The advantage of using the graphical interface is that it displays the result immediately after the process of scanning. After completing the process of scanning a single computer or multiple computers, MBSA provides a list of security recommendations that can easily be implemented by the administrator to elevate the security level of the machine. Figure 7 displays the result of a MBSA scan.

Figure 7. MBSA scan result
(source: http://en.wikipedia.org/wiki/Microsoft_Baseline_Security_Analyzer)

Secunia PSI: Although Microsoft Baseline Security Analyzer (MBSA) can be used to check for missing updates for the Windows OS and services, what about the third party applications? Even if the release of a new version of an application is known, it is often ignored, so this is where Secunia Personal Software Inspector comes in. Secunia PSI is a free application for security scanning. It checks out which applications need to be updated and is also capable of automating the process of updating. The application can run in the background and identify the programs that need updating, and download the appropriate patch and install it, without much user interaction. If it is not capable of updating the application itself, it notifies the user about it and also provides some instructions that can be helpful in the process. Figure 8 shows the output of Secunia PSI for a windows machine.

Figure 8. Secunia PSI scan result

Secunia PSI performs its functionality by examining the files on the computer and extracting software vendor specific metadata. This collected data is further sent to Secunia’s server for determination of the applications installed on the machine and provides the report of the security updates which are missing from the system. By allowing scanning for all the updates through one interface and automating the process of updating, it substantially reduces the effort required for keeping the system updated and increases the security level. Figure 9 displays the Secunia PSI interface after updating the specific application.

Figure 9. Secunia PSI output

Protector Plus- Windows Vulnerability Scanner: Protector Plus-WVS is a utility, developed by Proland Software that is capable of detecting the vulnerabilities present in a Windows environment. It scans a machine for vulnerabilities and displays the result in the form of a list. Along with the vulnerabilities it also provides the rating of the vulnerabilities and a link to the appropriate Microsoft patch (Microsoft Security Bulletin). It is a simple program which requires no installation and executes by simply double-clicking the Winvulscan.exe. Along with displaying the result list it also creates a log file named as Protector_Plus_Windows_Vulnerability_Scan.htm in the folder where the .exe is. The result of the Protector Plus WVS is shown in figure 10.

Figure 10. Protector Plus WVS result

Windows Sysinternals: Windows Sysinternals is actually not a vulnerability scanner, but it is capable of assisting users with its various functionalities. It is a collection of utilities which can help to manage, diagnose, troubleshoot and monitor a Windows machine. The utilities of Sysinternals have been bundled together into a single suite, the Sysinternals suite.
The list of the tools in the suite is:

1. AccessChk AccessEnum AdExplorer
2. AdInsight AdRestore Autologon
3. Autoruns BgInfo CacheSet
4. ClockRes Contig Coreinfo
5. Ctrl2Cap DebugView Desktops
6. Disk2vhd DiskExt DiskMon
7. DiskView Disk Usage (DU) EFSDump
8. FindLinks Handle Hex2dec
9. Junction LDMDump ListDLLs
10. LiveKd LoadOrder LogonSessions
11. MoveFile NTFSInfo PageDefrag
12. PendMoves PipeList PortMon
13. ProcDump Process Explorer Process Monitor
14. PsExec PsFile PsGetSid
15. PsInfo PsKill PsList
16. PsLoggedOn PsLogList PsPasswd
17. PsService PsShutdown PsSuspend
18. RAMMap RegDelNull RegJump
19. RootkitRevealer SDelete ShareEnum
20. ShellRunas SigCheck Streams
21. Strings Sync TCPView
22. VMMap VolumeID WhoIs
23. WinObj ZoomIt

The utilities provided in the Sysinternals suite are small yet quite useful. The utilities such as Process Explorer, RAMMAP, and Autoruns are very advanced and provide functionalities which are not even provided by various commercial applications. Although these utilities do not provide any vulnerability detection, yet they can be very helpful in detection of various security threats/attacks and daily troubleshooting.

Conclusion

Vulnerability assessment as described above helps to substantially reduce the risk of a security breach. It should not be taken as a substitute to other security practices such as penetration testing, malware scanning, IPS/IDS implementation, log analysis etc., but should be practiced as a complementary process. As it does not require special training in the information security domain and can be accomplished by anyone with a basic understanding of computers, it must be in the priority list of any enterprise which desires to keep its data safe.

You can learn Ehtical Hacking from the Infosec Institute, one of the leading institute in the field of Information Security training:  http://www.infosecinstitute.com/courses/ethical_hacking_training.html

Intrusion Detection System

Intrusion Detection System

In the past few years, advancements in technology have grown hand in hand with a substantial increase in hacking and cyber espionage. The whole world is deeply interconnected through the medium of the Internet, and one vulnerable machine can be the gateway to a series of undesirable events. The motivation for such events could be anything from financial gain, to political statements, or simply for fun. But for the victim of such an attack, it might cause a much more significant loss than intended. For example, a technology company whose website is successfully hacked results in the loss of reputation, which is certainly very crucial for any company. Enterprises, governments, and even individuals face this problem on a daily basis without knowing how to deal with it.

So what is a solution that could help considerably reduce, if not eradicate, this threat? The answer is the implementation of an intrusion prevention system (IPS). An IPS can be understood as a security mechanism that monitors a network and/or system for any malicious action and tries to prevent it.

As explained on Wikipedia (http://en.wikipedia.org/wiki/Intrusion_prevention_system) the core functions of an IPS are:

• Identify malicious activity
• Log information related to such activity
• Attempt to block/stop such activity
• Report the activity

Often, an intrusion prevention system (IPS) is confused with an intrusion detection system (IDS), but in reality an IPS can be considered an extension of IDS. They do have some features in common like traffic monitoring, observing system activity, creating log etc., but what makes an IPS different from an IDS is the IPS’s ability to prevent/block any detected intrusion attempt.

Differences between IPS and IDS:

IPS                            
It provides an active prevention security solution.    
An IPS sits in-line with the network traffic flow.
Core function is to prevent an intrusion. 
An IPS slows down the traffic (analysis time).
Example: SNORT  

IDS
It provides a passive detection security solution. 
An IDS generally does not sit in-line (although it can) with the network traffic flow.
Primary purpose is monitoring and reporting of any malicious activity.
An IDS does not affect the traffic.
Example: OSSEC HIDS  

Because of the services provided by an IPS, it is also known as an intrusion detection and prevention system (IDPS). Basically, an IPS sits in-line with the network traffic and monitors it.

Through analysis of intrusion signatures, generic behavior, and heuristic methods, it looks out for any malicious action on the network/system and takes the appropriate action of dropping the packet and/or blocking the specific traffic. It further sends an alert to the administrator when any such event occurs.

Intrusion prevention systems can be classified as:

• Network intrusion prevention system (NIPS): This type of IPS is placed at specific point(s) on the network to monitor the entire network for any malicious traffic and attempts to stop it.
• Host intrusion prevention system (HIPS): A host intrusion detection system is implemented on individual hosts (or devices) to monitor the inbound and outbound traffic for that specific host/device and perform the required action after detecting any malicious activity.
• Network behavior analysis (NBA): This kind of IPS inspects the traffic for suspicious or unusual flow that could lead to an attack like DoS/DDoS.
• Wireless intrusion prevention system (WIPS): This monitors the wireless network for malicious behavior.

Some common types of threats that an IPS usually is capable of handling:

• DoS/DDoS attack: An attack that aims to make a service unusable for legitimate users by flooding the service with a huge number of connection requests.
• ARP spoofing/poisoning: ARP stands for address resolution protocol, which is utilized to find a MAC address when the IP is known in a local network. If successful, this kind of attack allows the attacker to intercept all the traffic between two hosts.
• SSL evasion: Most new IPSs are capable of stopping attacks on the SSL protocol.
• Port scanning: Generally IPSs are capable of stopping any attempt to find which ports are open on specific hosts.
• OS fingerprinting: During the recon phase of an attack, one of the most important tasks is to identify a target machine’s operating system so that specific exploits can be launched to compromise that machine. Modern IPSs are capable of detecting and stopping any such attempt.
• Buffer overflow: This is one of the most widely exploited attacks that can lead to total system compromise. This can be handled by an advanced IPS.

An IPS generally utilizes the follow detection methods:

• Signature based threat detection: An IPS contains a huge repository of attack signatures from known exploit/vulnerability patterns and utilizes these to detect any attempt at intrusion. If a match is found based on the signature, suitable action is taken by the IPS to prevent the attack.
• Anomaly based threat detection: This detection method uses the baseline established by average network traffic conditions and compares current traffic conditions with that baseline to identify any abnormal or unsafe behavior. If any such activity is found, the IPS takes the appropriate action to safeguard against it. This technique can provide a defense against unknown threats.
• Stateful protocol analysis detection: This methods looks out for difference in the protocol states as compared to standard predefined profile.
• Passive monitoring: In this technique the IPS simply sits and monitors abnormal or suspicious behavior, such as unusual amount of traffic from the same IP address (attempt of DoS), and takes the required action against it.

An IPS must not be confused or mistaken as a substitute for another network security measure, namely: the firewall. The job of a firewall is to limit access to a network/system, and it is generally not capable of detecting and preventing an intrusion.

Firewalls basically work based on filtering rules, whereas an IPS uses signature-based threat-detection (and many other techniques) to safeguard the network/system. A firewall’s job is to allow or block traffic, whereas an IPS’s job is to determine if there is something malicious in the traffic allowed by the firewall. An IPS is usually deployed behind a firewall on a network. Neither of these two tools should be considered a replacement for the other; instead, they must be deployed in conjugation with each other to implement defense in depth.

Some of the best tools of the trade are described below:

The first free and open source NIDPS (network intrusion detection and prevention system) is called as Snort. Originally released by Martin Rosh (Sorcefire founder and CTO) in 1998, Snort has become one of the most deployed IDPS. Snort can perform real time analysis of the traffic and logging of the packets on an IP network. It analyses the protocol, searches/matches the content, and is capable of detecting different kinds of attacks described earlier in the article (port scanning, OS fingerprinting, buffer overflow, etc.).

The latest version of the application can be downloaded from http://www.snort.org/snort-downloads/. Figure 1 shows a standard example of the Snort interface.

Figure 1. Snort Interface

Snort has three primary uses:

• Packet sniffer: Read and display network packets.
• Packet logger: Logs the packets to the disk, which can be used for network traffic debugging.
• Intrusion prevention system (IPS): Monitors and analyses the traffic based on the predefined rule-set and performs the specified action.

Snort rules are at the core of the detection of any intrusion attempt. They can be defined as: The approach to perform detection. Snort rules are defined based on vulnerabilities, unlike signatures, which are based on exploits and can be bypassed by modifying the exploit. Figure 2 shows the output of the packet dump mode.

Figure 2. Snort packet dump output

Next in the list is another free and pen source tool called OSSEC. OSSEC is a host-based intrusion detection system, but that’s not all; it also contains aspects of a log monitor and security information and event manager (SIM/SIEM), which makes it a unique tool in its arena. A security event manager can be understood as a tool which can be used on huge data network with the aim to centralize the storage and interpretation of events/logs that are generated by other applications.

OSSEC is capable of performing:

• Log analysis
• Registry monitoring
• File integrity check
• Rootkit detection
• Real-time alerting
• Active response

OSSEC can be easily implemented across multiple platforms such as Linux, Mac, Windows, BSD, VMware ESX, etc. OSSEC contains a cross platform architecture that allows it to monitor and manage multiple systems easily through a centralized management server. It can easily be integrated with an existing system to perform centralized event reporting. Figure 3 shows the initiation of OSSEC.

Figure 3. OSSEC initiation

OSSEC contains a manager, which is the center of the deployment. It stores and performs all the functions and hence, acts as a server. Agents are installed on the machines that need to be monitored. Agents send the information in real-time to the manager for the purpose of analysis. OSSEC allows performance integrity checks on devices that do not allow installation of the agent such as routers, firewalls, etc. OSSEC agents can also be installed on a virtual machine (VMware ESX) and can help monitor the virtualization platform. Figure 4 displays the output log.

Figure 4. OSSEC output log

Last in the list is Honeyd, which is also an open source program. It is not actually an IPS/IDS but a honeypot which allows its user to set up virtual hosts. These virtual hosts can act as decoys for attackers and distract them from legitimate systems. They can also help to catch attackers after distracting them from the intended target. Figure 5 shows the Honeyd interface. Honeyd in action is displayed by Figure 6.

Figure 5. Honeyd interface

Figure 6. Honeyd in action

Some IPS/IDS evasion techniques as explained on Wikipedia (http://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques) are:

• Obfuscating attack payload: Encoding the payload of the attack in a manner such that the target machine will be able to reverse it but the IPS/IDS will not.
• Polymorphic code: Creating the same attack in different (unique) forms so that the IPS/IDS does not detect it.
• Packet fragmentation: Breaking the attack payload into many small packets so that the IPS/IDS is not capable of reassemble them to detect the attack.
• Overlapping fragments: Crafting a series of packets with overlapping TCP sequence number.
• Traffic insertion at the IPS/IDS: Sending packets crafted with TTL (time to live) such that it only reaches the IDS/IPS.
• Denial of Service/Distributed Denial of Service (Dos/DDoS): Exploiting a vulnerability/bug the IPS/IDS can be flooded with traffic overloading all its computational resources, which will make it unusable.

One tool that needs to be mentioned here is fragroute. Fragroute is a tool that is capable of intercepting, modifying, and rewriting outbound traffic for specified host. The capabilities of this tool make it one of the standard tools used for IPS/IDS evasion. The latest version of the tool (i.e. frageroute-1.2.5-ipv6) is compatible with IPv6 networks. The tool can be downloaded fromhttp://code.google.com/p/fragroute-ipv6/downloads/list. The non IPv6 version can be found athttp://monkey.org/~dugsong/fragroute/. Figure 7 shows the frageroute interface.

Figure 7. Fragroute interface

Conclusion:

Today there are many technologies present in the market designed to safeguard systems/networks from being attacked and to prevent data loss. From firewalls to anti-virus to encryption systems etc., there are many protective measures we can use to hide our precious data.

Yet even with the plethora of security technology, we have to face intrusion events and worry about our data being stolen. The main source of such occurrences is the lack of awareness among common people and even people who are supposed to look after our data. People confuse different security measures and consider one a substitute for another, which can lead to data compromise.

Intrusion detection and prevention systems provide us with the first line of defense against malicious intruders. We must not consider an IPS as a substitute for IDS (it’s a different case if the same tool provides all the functions of both tools). IPS and IDS provide the control and visibility required by any enterprise to protect its infrastructure from being attacked and taken over.

One of the most important factors to take into consideration when utilizing an IPS/IDS is: proper inclusion into the infrastructure through deployment. Improper deployment will lead to a huge slowdown of the network and improper management.

Some best-practices that should be followed regarding IPS/IDS:

• Identify and prioritize risk areas for proper deployment.
• Ensure complete coverage of the network.
• Plan appropriate incidence response in case an intrusion is detected.
• Awareness and training for the staff.
  
  

  You can learn Ehtical Hacking from the Infosec Institute, one of the leading institute in the field of Information Security training:  http://www.infosecinstitute.com/courses/ethical_hacking_training.html

  
  

Metadata: The Hidden Treasure

Metadata: The Hidden Treasure

In today’s Information age, Data is very crucial for every organization. From Information security point of view also data is what everybody is behind, be it the Hacker or the Pentester. Data loss for any organization can have a very negative impact financially as well as reputation wise. Generally organizations are aware of the information they are revealing through different online mediums, but what about the data that is being exposed without the knowledge of the organization and which could be crucial from security perspective. In this article we are going to learn about the information hidden in the documents, files present in the public domain which could be sensitive from security perspective and also how to deal with it.

First here are some basic terminologies that need to be understood before going any further.

Metadata: Simple data can be described as raw values which need to be processed for the purpose of generating information and deriving knowledge. Meta data is commonly described as ‘data about data’; however this definition is not complete and does not covers all properties of metadata. A better definition as described by Wikipedia (http://en.wikipedia.org/wiki/Metadata) is as following.

Metadata (metacontent) is defined as data providing information about one or more aspects of the data, such as:

• Means of creation of the data
• Purpose of the data
• Time and date of creation
• Creator or author of data
• Location on a computer network where the data was created
• Standards used

Metadata has been utilized for various purposes from cataloging archives, data virtualization to SEO (Search Engine Optimization) for web sites. All this metadata is put up intentionally by the owner for the purpose of better and easy management of information; whereas in this article we are going to talk about the metadata that user puts-up without being aware of (most of the time).

Information gathering: This is the very first and very essential phase of any security assessment project. The focus is on collecting as much information as possible related to the target. Success of any Pentest highly relies on the information gathering phase as it the information collected during this phase that is leveraged in later stages for the purpose of intrusion. The task of gathering the information can be done utilizing various methods such as OSINT (Open Source Intelligence) tools eg. Search Engines, scanners, fingerprinting tools (active and passive) etc.

OSINT (Open Source Intelligence): Open Source Intelligence implicates finding, selecting and procuring information from the sources which are publicly available. This information can be exploited to harvest acumen based on which critical decisions can be taken. Open source intelligence can be collected from variety of sources such as Newspapers; Web based content; Public documents etc. From Cyber security point of view it is mostly the web based content that is the main source of open source intelligence. The advantage of open source intelligence is that it is present in the public domain and hence it is easy to access. It is a very crucial part of the information gathering phase of security testing.

First tool of the trade in the list is Metagoofil.

Metagoofil: Metagoofil is a linux based tool developed in python which extracts metadata from public documents which are available on the target website(s). Metagoofil supports different document types like df, doc, xls, ppt, odp, ods, docx, xlsx, pptx. The tool utilizes different python libraries like GoogleSearch, Hachoir, PdfMiner etc. for the purpose of locating the files and extracting metadata. The output of the tool is displayed as a report in HTML format, which can be easily viewed on a browser. BackTrack 5 comes preinstalled with the application. The latest version of the tool is 2.1 and can be downloaded from http://code.google.com/p/metagoofil/downloads/detail?name=metagoofil-2.1_BH2011_Arsenal.tar.gz&can=2&q=

Steps of operation:

• Perform Advanced Google Search (Google Dorks) to find the documents on the target website.
• Download the number of files as specified from the search output to local disk.
• Extract Metadata using different libraries.
• Save and display the output (extracted metadata) in HTML format on the web browser.

The result contains User names, Software versions, e-mails, servers and paths found during the operation. The latest version also extracts MAC (Media Access Control) address from Microsoft office documents. Now with this open source information one can prepare a better Pentest plan. The extracted information can be exploited to perform a brute force attack on various services or to execute a social engineering attack. Figure 1 displays the metagoofil interface along with the options present.

Figure 1. Metagoofil Interface

Metagoofil options as listed in the application:

        -d: domain to search

        -t: filetype to download (pdf,doc,xls,ppt,odp,ods,docx,xlsx,pptx)

        -l: limit of results to search (default 200)

        -h: work with documents in directory (use “yes” for local analysis)

        -n: limit of files to download

        -o: working directory

        -f: output file

Figure 2 shows the tool in action. The tool searches for the files using search engine libraries and then downloads the specified number of files for metadata extraction.

Figure 2. Metagoofil in action

Figure 3, 4 and 5 display the result of the tool. The result consists of the list of User names, Software versions, emails, servers, paths and files analyzed. The result HTML file also shows the output in the form of the bar graph.

Figure 3. Metagoofil Result 1

Figure 4. Metagoofil Result 2

Figure 5. Metagoofil Result 3

Second tool in the list is Exif Tool

Exif Tool: Exit tool is a software application which can read, write and edit metadata in an extensive variety of files. It is a platform-independent Perl library and also available as a command-line application. The Tool supports many different metadata formats which include EXIF, GPS, IPTC, XMP, JFIF, GeoTIFF, Photoshop IRB, FlashPix, ID3 etc. as well as the manufacturer specific notes of many digital cameras. The list of supported file types is very extensive and can be found on http://www.sno.phy.queensu.ca/~phil/exiftool/. The download link of the tool ishttp://www.sno.phy.queensu.ca/~phil/exiftool/exiftool-8.92.zip. An online version of the tool is also available at http://regex.info/exif.cgi. Figure 6 shows the exif tool interface. The output of the Exif tool is demonstrated in figure 7. It demonstrates the metadata extracted from an image file.

Figure 6. Exif tool interface

Figure 7. Exif tool displaying the extracted metadata

Next in the list is FOCA

FOCA: FOCA means seal in Spanish language. FOCA or Fingerprinting Organizations with Collected Archives is a tool to discover files on target website and extract metadata from it. FOCA is a Windows based tool for the metadata extraction. Unlike previous tools it provides GUI for easy usage. It is similar in operation to the metagoofil tool previously discussed. It uses search engine for the purpose of discovering files and extracts metadata which can be utilized for the forthcoming steps of pentesting. There also exists an online version of the application, which can be found athttp://www.informatica64.com/foca/. The new features in the latest version (i.e. 3.0.2) as described on the official website are as follows (http://www.informatica64.com/foca.aspx):

• New Interface
• Panel multithreaded tasks.
• Search proxy service.
• Search for services registered in the DNS
• Search and analysis of ICA and RDP files.
• Search for proxies
• Leakage analysis (based on output errors).
• Search for domains with anti-spam policy.
• Search DS_Store files in each folder.
• URL Search in files “robots.txt”
• Autosave project, among others.

Figure 8 shows the home screen of the application. User need to input project name and the domain that need to be parsed for the discovery and extraction of metadata.

Figure 8. FOCA Home Screen

Figure 9. FOCA interface displaying the list of files on the defined domain

Figure 9 shows the list of the files found on the domain specified by the user. FOCA utilizes different search engines for the purpose of discovering the list of files. After discovering the list, the user needs to download the file(s) so that the metadata can be extracted from them. Figure 10 displays the extracted metadata from the files downloaded.

Figure 10. FOCA displaying the extracted metadata

The last tool in the list is Exif2maps.sh

Exif2maps.sh: It is a script which can pull off the GPS location data from images. iPhone stores GPS Exif data with the images. The tool simple extracts the google maps link containing the coordinates. The script can be found at http://www.securityaegis.com/stealing-gps-data-from-images-in-pentests/. Figure 11 shows the output of tool as a link to the google maps. Figure 12 displays the output location on the google maps.

Figure 11. Result of Exif2maps.sh script

Figure 12. Location displayed on google maps

Mitigation

As we have seen that how much critical information is revealed through the documents and files uploaded without us realizing it. The solution to this problem is DLP or Data Loss Prevention tools. Some of these tools are as following:

MetaShield Protector: MetaShield Protector is a solution which helps to prevent data loss through office documents published on the web site. It is installed and integrated at Web Server level of the web site. On a request for any document, it cleans it on the fly and then delivers it. MetaShield Protector can be found at http://www.metashieldprotector.com/.

MAT: MAT or Metadata Anonymisation Toolkit presents a solution for the purpose of metadata removal. It is developed in Python and utilizes Hachoir library for the purpose. Formats supported by the toolkit as listed on the official website (https://mat.boum.org/):

• Portable Network Graphics (.png)
• JPEG (.jpg, .jpeg, …)
• Open Documents (.odt, .odx, .ods, …)
• Office OpenXml (.docx, .pptx, .xlsx, …)
• Portable Document Fileformat (.pdf)
• Tape ARchives (.tar, .tar.bz2, .tar.gz, …)
• Zip (.zip)
• MPEG AUdio (.mp3, .mp2, .mp1, …)
• Ogg Vorbis (.ogg, …)
• Free Lossless Audio Codec (.flac)
• Torrent (.torrent)

MyDLP: A free data leakage prevention solution with multi-site configuration. It provides a comprehensive open source DLP solution. MyDLP is available under GPL license. The community and the enterprise version of the solution are hosted at http://www.mydlp.com/products.

OpenDLP: A complete DLP suite with centralized web frontend for the purpose of management. OpenDLP is hosted at https://code.google.com/p/opendlp/.

Doc Scrubber: A freeware to scrub off hidden data from word documents (.doc). Doc Scrubber can be downloaded from http://www.javacoolsoftware.com/dsdownload.html.

Exif Tool: A software application which can read, write and edit metadata in an extensive variety of files.

Removing Geo-tags: Picasa, the image organizing and editing application by Google can help to remove geo-tags from images. The link to the help and support page is

http://support.google.com/picasa/bin/answer.py?hl=en&answer=70822.

Conclusion:

Data Loss Prevention is a quite serious matter for organizations today. It could cost more than the cost of the data itself, if this data gets into the hand of a malicious intruder. We saw that how we reveal sensitive information through the documents and files we upload, without even realizing it. This information can be exploited by an attacker/pentester for the purpose of intrusion. The criticality of such information is such that it can be the difference between a successful and a failed penetration. It has been demonstrated that metadata extraction can be easily accomplished with the help of the tools mentioned earlier (all of which are free). This gives so much power in the hands of a skilled pentester/attacker, which he/she can utilize to launch a well thought out attack. An IT Administrator can utilize the tools described to detect metadata leakage of the organization and check it.

All this information need not be there on the open web, but most of the organizations don’t realize the existence of this information and hence stay ignorant towards it. Companies implement many policies to prevent data leakage, like blocking Social Networking Websites, third party e-mail services etc. but nobody realizes this medium, which is leaking information without their knowledge. Policies and procedures need to be developed for document sanitization before hosting them online. Strong policies and the mentioned mitigation methods if employed properly can help to prevent such data loss and help the organization to implement defense in depth.

Best Practices for Data Loss Prevention:

• Identify and prioritize risk areas
• Ensure complete coverage
• Protect all the data (not just the sensitive one)
• Plan appropriate incidence response
• Awareness and Training
  
  
  
  

  You can learn Ehtical Hacking from the Infosec Institute, one of the leading institute in the field of Information Security training:  http://www.infosecinstitute.com/courses/ethical_hacking_training.html