Chapter 3
[ 77 ]
Here is a sample output you receive from JCheck when something has changed:
Additions since the last run
Added:/home/public_html/administrator/ov56__JOBID1_20071128_125600.sql.gz

Type : le
Permissions : -rw-r r
Date Modied : Nov 28 2007 12:56:01
Date Changed : Nov 28 2007 12:56:01
Owner : 32401
Group : 902
Size : 70268
MD5 key : ccfe5703a71ab8ccaa6049bf83382a53

Added:/home/ov56/public_html/administrator/components/com_jts

The le that is changed or added to our site is a backup le being generated from our
backup tool. It has been given an MD5 hash, and this hash will be compared with the
next run to ensure that nothing has changed.
JCheck can be congured to run as frequently as hourly, alerting you to alterations.
While this won't stop an attack on your site, it will minimize downtime by alerting
you to potential changes.
Publishing the module gives us another security logo, telling our users we are on top
of our game.
JCheck is a copyrighted commercial software. The core library is encrypted.
The supplied Joomla! or Mambo module is open-source software, and is released
under the LGPL license. You can obtain this and other great products at:
.
This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008
1010 SW High Ave., , Topeka, , 66604

Tools
[ 78 ]
NMAP—Network Mapping Tool from
insecure.org
If you are managing your own hardware, such as your own physical installation,
gateways, rewalls, and so on, then you will need Nmap to ensure that you have
congured your system hardware properly.
Nmap is available from insecure.org under GNU/GPL, and offers a veritable host
of features that would cost you a lot if you bought them from a commercial vendor.
Here is the description according to insecure.org:
Nmap (Network Mapper) is an open-source tool for network exploration and
security auditing. It was designed to rapidly scan large networks, although it works
ne against single hosts. Nmap uses raw IP packets in novel ways to determine what
hosts are available on the network, what services (application name and version)
those hosts are offering, what operating systems (and OS versions) they are running,
what type of packet lters/rewalls are in use, and dozens of other characteristics.
While Nmap is commonly used for security audits, many systems and network
administrators nd it useful for routine tasks such as network inventory, managing
service upgrade schedules, and monitoring host or service uptime.
This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008
1010 SW High Ave., , Topeka, , 66604
Chapter 3
[ 79 ]
Running this tool against the server shows several open ports. The 3306/tcp port is
wide open for MySQL. A quick search for "vulnerability port 3306" turns up quite a
bit of interesting information. There are several exploits available to attack this open
port. Typically, you would want to put your MySQL server behind a Demilitarized
Zone or DMZ. This will protect it and you won't have to open a port to it. By
opening a port such as this, we may not be vulnerable, but we will be leaking
information, though minimum. This gives a clever hacker research information to

enumerate and map our network, whereas in the example that follows we don't
give out that information, nor expose our servers. We access them through a client
interface, handling the gory details of hand-off in the background. Note that in both
screenshots, the critical information such as IP address, server location/name, etc.
have been removed.
Here is a scan on a different host. This shows only the fewest open ports necessary
and is clearly a much more secure host.
Why concern ourselves with this? First, we do not need to remotely access
our databases. This is best handled through your administration tools, such as
phpMyAdmin located on the box (physically), or through your host's interface.
Second, in 2005 a Windows-based "bot" attack was using port 3306 (and others) to
create zombies on the Internet.
If an attacker were interested in testing your server for vulnerability, and discovered
that you had this port open, he/she might use information, such as this, found on
www.sans.org.
MODERATE: MySQL Authentication Bypass Vulnerability
Affected: MySQL versions 4.1.0, 4.1.1, 4.1.2 and early builds of version 5.0
•
•
This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008
1010 SW High Ave., , Topeka, , 66604
Tools
[ 80 ]
Description: MySQL is a widely used, open-source database with a reported
ve million installations world-wide. The database runs on a number of
operating systems, and is typically deployed as a back-end database for
web applications. The software contains multiple vulnerabilities in its
authentication module, specically in the "check_scramble_323" function.
An attacker can specify a certain value for the "client capability" ag, and
obtain an unauthorized access to the database via a null password. The

attacker can obtain the privileges of any user on the MySQL server, provided
the username is correctly guessed. The attacker can also trigger a stack-based
buffer overow by providing an overlong password string. The overow
may be exploitable on a few platforms to execute arbitrary code. Note that
the aws cannot be exploited using the available MySQL clients. The attacker
would have to create a custom MySQL client. The technical details required to
leverage the aws and multiple exploits have been publicly posted.
Other tools at an attacker's disposal would allow him or her to learn what version of
MySQL you are running and launch an attack on you. For instance, if the attackers
were able to get the versioning information—say through one of the diagnostic
tools—and they learned that the server with an port open is running MySQL 4.0.23,
then they would know how to launch an attack.
To be fair, if we set up our MySQL to speak only to "trusted hosts", then that would
lower our attack surface a bit, but why take the chance?
While this chapter was being written, insecure.org released a new graphical
version of Nmap. This GUI offers the new user to Nmap the ability to run scans
with an easy-to-use point and click interface. The following is an image of the
GUI interface:
•
This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008
1010 SW High Ave., , Topeka, , 66604
Chapter 3
[ 81 ]
Wireshark
Another useful tool is the packet sniffer. This is a tool that allows you to monitor
all in-bound and out-bound trafc on your network. This can serve two purposes:
First, it ensures that your personal network is not doing something that it shouldn't.
Secondly, it allows you to monitor your web server for attempted attacks.
I recently used this tool for a customer in an audit. We discovered that their site
had been penetrated by a cracker from China. And he/she was attempting to gain

further access.
Using this tool, the packets going to and from the server were monitored. There were
several suspicious packets in the internal IPC$ share (a Windows internal share).
They were not sharing this box with anyone. Further analysis led to the examination
of the server logs, thus exposing the break-in. This was quickly dealt with, but may
have continued if this tool had not been deployed.
The following list of features of this tool is from the website www.wireshark.org:
Deep inspection of hundreds of protocols, with more being added all
the time
Live capture and ofine analysis
Standard three-pane packet browser
Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD,
and many others.
Captured network data that can be browsed via a GUI, or via the TTY-mode
TShark utility
The most powerful display lters in the industry
Rich VoIP analysis
Read/write many different capture le formats: tcpdump (libpcap), Catapult
DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network
General Sniffer (compressed and uncompressed), Sniffer Pro, and NetXray,
Network Instruments Observer, Novell LANalyzer, RADCOM WAN/LAN
Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks
Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and
many others.
Capture les compressed with gzip can be decompressed on the y.
Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM,
Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on
your platfrom).
•
•

•
•
•
•
•
•
•
•
This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008
1010 SW High Ave., , Topeka, , 66604
Tools
[ 82 ]
Decryption support for many protocols, including IPsec, ISAKMP, Kerberos,
SNMPv3, SSL/TLS, WEP, and WPA/WPA2
Coloring rules can be applied to the packet list for quick, intuitive analysis.
Output can be exported to XML, PostScript, CSV, or plain text.
This tool was released under the GNU/GPL license, and is considered the de facto
and sometimes the de jure network protocol analyzer for IT shops across the world.
The following screenshots are broken up into parts for ease in publishing this book.
Let's examine them now:
The rst column on the left is the packet sequence as it arrived in the network
card. The second one is Time. The third and fourth are SOURCE IP and
DESITINATION IP.
As we move to the right of our screen, we'll see this data, which includes the
Protocol in use and also information about the packet:
Here, we note the protocol on the wire, and other information pertinent to this.
•
•
•
This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008

1010 SW High Ave., , Topeka, , 66604
Chapter 3
[ 83 ]
If we select a specic packet, we'll see a lot of information about it.
We can drill into each of the above and learn more about the contents of the packet.
If an evil cracker is able to insert a sniffer into your network, he or she can learn the
passwords very quickly. This tool watches your network for problems, for example
conguration issues, and such other things.
And lastly, the data that is contained in the packet allows us to see what is
being transmitted.
As there are several other things that Wireshark can do, I suggest you download it
and learn all you can about this tool. It will enable you to keep a close watch on all
your network activities.
Metasploit—The Penetration Testers
Tool Set
Metasploit is a complete set of tools running on the Metasploit Framework that has
been developed for the purpose of security using penetration testing. The Metasploit
Framework or MSF allows for discovery of vulnerabilities, proper disclosure to the
vendor or developer of the problem application, analysis of your code or website,
and development of new exploits.
This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008
1010 SW High Ave., , Topeka, , 66604
Tools
[ 84 ]
When we launch MSF we see the following control panel, which will guide us
through the various functions:
As the site administrator, you may wish to run this against your own site to
determine if you have any unknown vulnerabilities.
To do so, we select Exploits from the MSF menu bar. After the selection, we get the
following screenshot:

The Search box enables the tester to search for exploits by platform, code, or use. For
instance, if you were to choose PHP in the search box, it would yield several exploits.
As you scroll down, you would nd this interesting exploit:
Do you know if your site suffers from this?
Once this exploit is successfully run, MSF will offer you a command shell to interact
with it, enabling you to put a payload into the website. There are several payloads
available and, of course, you could write your own.
This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008
1010 SW High Ave., , Topeka, , 66604
Chapter 3
[ 85 ]
To nd payloads, click the PAYLOAD button on the console, search out what you
wanted, and then go about generating the code.
This time Linux was chosen as the target and the exploit payload of Add User. If
the exploit were successful, injecting this payload would add a user to the system
without anyone's knowledge.
Once all the parameters are added, the code generated by MSF looks as follows:
# linux/x86/adduser - 1024 bytes
#
# Encoder: x86/shikata_ga_nai
# NOP gen: x86/opty2
# USER=JohnDoe, SHELL=/bin/sh, PASS=Password
"\xb2\xba\x86\xe3\x3c\x75\x35\x7b\x0b\xd4\xb9\x32\xf5\x90" +
"\x67\x47\xbb\x97\x74\x48\x1c\x83\xe2\x12\xeb\x76\x4e\x99" +
.
.
.
"\xfa\xf1\x14\x74\xf8\xa9\x29\x09\x6a\x4b\xea\xc7\xea\x4b" +
"\x0a\xd8"
This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008

1010 SW High Ave., , Topeka, , 66604
Tools
[ 86 ]
Most of the code in the example has been removed; however, you can see the power
of MSF. You may be running your Joomla! site on a Windows platform, and thus you
may think that this excludes you from the exploit. A quick search for other exploits
displays the following screenshot:
This, like the Linux payload, will attempt to add a user to the administration group.
This payload can be inserted by exploiting a hole in Windows, and the surrounding
NetBIOS and shares that may be present on the target system. If an attacker can gain
access to your server, he or she can escalate the account, or add it directly to the
admin group through various means, thus taking over your box and your website.
Are You the Administrator or Owner?
If not both then I strongly discourage the use of this tool. ONLY use this
if you have permission, or a test server, or an owned site. DO NOT use
this on any server or site for which you do not have an express written
permission. Any other use may constitute a criminal act.
Nessus Vulnerability Scanner
The next in our suite of tools is a great product from Tenable Network Security, Inc.
The tool known as Nessus is released as a free, open-source vulnerability scanner.
They offer paid support in addition to the normal (and abundant) documentation.
You may visit their website ( />Why You Need Nessus
With Nessus, you can test your server for unpatched holes, various vulnerabilities,
and exploits. Tenable Network Security releases updates on an extremely regular
basis and is considered to be one of the top vulnerability scanning tools in the world.
This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008
1010 SW High Ave., , Topeka, , 66604