Category Archives: How-to

Adding an additional layer of authentication to websites with HTTP Reverse Proxies

Posted by Walter Goulet on January 31, 2012 No comments

For my last client engagement, I was tasked with adding an additional layer of authentication to a publicly accessible website without actually modifying the website’s application code or web server configuration. After doing a little research, I came upon the idea of using a HTTP reverse proxy to intercept requests to the website and perform additional authentication before letting end users access the target web application.

If you are not familiar with the concept of a HTTP reverse proxy, think of it as a specialized web server that inspects incoming HTTP requests, forwards them to another (usually internal) web server after any local processing is completed, and makes sure that HTTP responses sent back to the client contain proper host names. The following diagram illustrates the typical processing flow when using a SSL enabled reverse proxy server that is acting as a front end to an internal web server.

In this diagram, the reverse proxy server is performing 3 major tasks:

  • Performing an additional level of authentication for client connections.
  • Proxying HTTP requests and rewriting hostnames in HTTP responses.
  • Terminating SSL connection requests from clients.

In addition to the tasks above, it is possible to use a reverse proxy server  as a poor mans web application firewall by filtering HTTP requests that contain invalid characters that could be used for basic SQLi attacks. Reverse proxy functionality is provided by external modules such as mod_proxy for Apache and URL Rewrite/Application Request Routing for IIS.

To get clients to connect to the reverse proxy server instead of the internal application server, the reverse proxy server is usually configured with a public DNS hostname and publicly routable IP address. Thus, any links that are made available to users will resolve to the public IP address/DNS hostname of the reverse proxy server. The reverse proxy server will then perform the job of mapping the external HTTP requests to the proper internal web server.

With that introduction out of the way, let’s discuss how a HTTP reverse proxy can be used to add an additional layer of authentication to a web application. As pointed out earlier, a HTTP reverse proxy is really nothing more than a dedicated web server with additional modules that decide when and how to forward traffic to another web server. Thus, when a user connects to a HTTP reverse proxy server, any authentication method that is supported by the reverse proxy server’s web server platform can be used to authenticate users.

For my engagement, I used IIS 7.5 with URL Rewrite 2.0 as my reverse proxy server. To provide an additional layer of authentication, I used the RSA Web Authentication Agent 7.0 along with Authentication Manager Express. After installing the web authentication agent, I configured the agent to protect all resources on the reverse proxy server. This has the effect of forcing all HTTP requests that are accepted by the reverse proxy server to be intercepted and processed by the web authentication agent. Once the web authentication agent completed the authentication sequence with the client, a record of the authentication is stored in the client’s browser as a cookie. Immediately after the authentication sequence completes, the agent redirects the user back to their original destination which again points to the reverse proxy server. Since authentication is now complete, the web authentication agent will no longer intercept the request and will instead forward the request over to the URL rewrite module. The URL rewrite module will then simply forward requests to the internal web server per the rewrite rules that were configured.

As for the rewrite rules themselves, when using the RSA web authentication agent on the reverse proxy server I found it necessary to write 2 rules for incoming HTTP requests to ensure that the reverse proxy server did not forward requests for the web authentication agent to the internal web server. To handle requests that should be processed by the web authentication agent, I created an inbound URL rewrite rule that matched the URL path for requests to the web authentication agent. The action for this rule was to simply not process it, which permitted the request to drop out of the URL rewrite module and be handled by the web authentication agent. Any other request that did not match the agent’s URL path was forwarded to the internal web server. The following snippet from my web.config file illustrates the rules that were used:

  <rules>
     <rule name="ReverseProxyInboundRule1" enabled="true" stopProcessing="true">
      <match url="(.*)" />
      <conditions>
       <add input="{CACHE_URL}" pattern="^(https?)://" />
       <add input="{REQUEST_URI}" pattern="(.*IISWebAgentIF.dll.*)" />
      </conditions>
      <action type="None" />
     </rule>
     <rule name="ReverseProxyInboundRule2" enabled="true" stopProcessing="true">
      <match url="(.*)" />
      <conditions>
       <add input="{CACHE_URL}" pattern="^(https?)://" />
      </conditions>
       <action type="Rewrite" url="http://www.example-internal.com:8080/{R:1}" logRewrittenUrl="true" />
      </rule>
   </rules>

For fans of open source solutions, the same functionality could easily be provided with Apache’s mod_proxy module using the ProxyPass and ProxyPassReverse directives. The virtual servers that contain these directives would then need to be configured to require authentication at which point any of the standard Apache user authentication methods such as mod_auth or mod_auth_ldap. Apache has the additional advantage of supporting the mod_security web application firewall, so the mod_proxy directives could be easily combined with mod_security to provide both additional client authentication and a transparent WAF.

WEP Cracking 101

Posted by Jon Janego on September 23, 2010 No comments

It’s occured to me, many folks understand that WEP is easy to break, but don’t know all the steps and just how easy it is.  Here I hope to lay down the basic steps in one coherent post.. demonstrating how to crack into a wireless network using WEP, with a client attached to it.

Like always… only do this against your own networks.  The legal grounds are a bit grey here, but the ethical grounds are clear – you shouldn’t pick your neighbor’s doorlock.  Being a security professional also comes with the responsibility to use your skills for good, not evil.

Step 0: get the software.

I assume you’re using linux…. these tools do work on OSX but they require a bit of tweaking i think, and i haven’t done it myself.  so i’ll just write up linux.  you can use a VM of linux but the wireless card support is a bit flakier unless you’re using a USB card.

basically you only will need two packages, kismet, and aircrack-ng

So:
apt-get install kismet
apt-get install aircrack-ng

Step 1: Find a WEP network

Kismet is an amazingly powerful scanning tool and I could write much more about it than we need here.  It takes advantage of the feature in wireless cards to use “monitor mode”, which basically does passive listening for network traffic, and analyzes the traffic into a nice list.  It can do all sorts of other neat stuff like gps logging, etc, but that’s not totally necessary here.

If you don’t know it, you’ll need the interface name for your wireless card.  Check it by typing:

iwconfig
Then, just launch kismet (type ‘kismet‘) and then it will prompt you what your WLAN card is.  It will try and put it into monitor mode and is usually successful, even with built-in wireless.  If not theres some troubleshooting to be done….

Assuming it works, it will give you a list of networks it sees.  It ‘hops’ channels by switching the frequency the card is listening on and collects traffic on that frequency.  If there’s a WEP network in sight, kismet will highlight it in red, and you will need to pay attention to four things:

  • Its BSSID – similar to the MAC address of the access point
  • The ESSID – the ‘friendly name’ of the network
  • The MAC address of a client that is attached to it.
  • The channel the AP is broadcasting on

Kismet has a column that shows the amount of traffic it sees for both the AP in general and the client.  You want to target one with a client attached that is passing data… they’re the easiest targets.

An alternate path to WLAN monitor mode:

If kismet has a hard time putting your card into monitor mode, try running ‘airomon-ng start <interfacename>’ and it should attempt to do so.  If that still doesn’t work…. investigate getting a new card.  The Alfa AWUS306Hf is an excellent USB choice.

Step 2: prepare to attack

If it’s not setup yet, enable monitor mode:

airomon-ng start <interfacename>.

Begin a dump session – this logs traffic, sort of like a lightweight Wireshark.  You want to filter it to only the transactions we’re interested in:

airodump-ng –channel <c> –bssid <xx:xx:xx:xx:xx> –write <fileprefixname> <interfacename>

where c: the broadcast channel of the network
xx: BSSID of the network
<interfacename> – self explanatory (i.e. wlan0mon)

Keep this running and launch a new window for the next steps.

Step 3: do an ARP replay attack

This essentially looks for an ARP request from the attached client, and replays it many many times, enough to create a data set large enough to mount a cryptographic attack against WEP.

aireplay-ng –arpreplay -h <xx:xx:xx:xx:xx:xx> -b <yy:yy:yy:yy:yy:yy:> <interfacename>

where xx: the MAC address of the client
yy: BSSID of the network
<interfacename> – self explanatory (i.e. wlan0mon)

Once this has started, check out the other window.  You should see the data packets starting to increase rapidly.  When you’re at about 40k there is enough to crack a 104-bit WEP key.  The more the better, but no harm in starting early…

Step 4: mount the cryptographic attack

From the same directory you launched the dump process just run this:

aicrcrack-ng <fileprefixname>.cap -0

This will launch a window that shows progress.  if it’s successful, you’ll see the key!  if it’s not… keep waiting for more traffic.  40k+ data packets increases your odds tremendously but if it’s a simple WEP key it requires less.  This tool will actually keep trying as the packet capture increases in size so you can keep it running.  Or quit it (ctrl-c) and wait till you have more.

Step 5: connect!

If all went well you have broken the WEP key via the PTW attack method.  Now you can connect to the network.  Close down the dump sessions, etc etc and bring down your WLAN card – ifconfig wlan0 down

Then you’ve just gotta connect:
ifconfig <interface> up - bring up the wlan card

iwconfig <interface>mode managed key [WEP key]

iwconfig <interface> essid “[ESSID]” (Specify ESSID for the WLAN)

dhclient [interface] (to receive an IP address, netmask, DNS server and default gateway from the Access Point)

If all goes well you’ll get an IP and then you’re good to go, test by pinging or whatever else.

But if it didn’t work, they may have MAC filtering in place…

So change the MAC address of your wireless card to the same one that you just cracked with!  This is a bit messy and could freak out the DHCP server of the access point, but it’s worth a shot.

Bring the card down first:

ifconfig wlan0 down

Then change the MAC:

ifconfig wlan0 hw ether xx:xx:xx:xx:xx:xx

Bring it back up again and repeat.  You should be good to go.

This is a simplified walkthrough of a process that is documented many other places.  It should give you a taste of kismet, and the basics of the aircrack-ng suite, which has many many other great features.  I encourage you to read all about it over on their website.

Additionally, their site also contains a much more in-depth WEP crack tutorial.

Again, this is not ground-breaking, but it is always good to share the fundamentals in case someone hasn’t seen it before.  Good luck!

WLAN Strategy – Segmented and Guest Networks

Posted by Jon Janego on August 26, 2010 No comments

Continuing my small series on WLAN deployment strategy, now I’ll cover the two more uses for wireless networks in a business.

Segmented Mobile Data

Segmented Mobile Data networks can be found in retail environments for mobile point of sale, hospitals for critical bedside services, warehouses for inventory and logistics, or many other types of environments.  The main idea behind the use of a segmented mobile data network remains to isolate critical data; or to isolate weaker security technologies from the rest of the wireless network.  Regardless of the reasoning, the goal is the same: keep these networks separated from everyone else.  The most critical design decision, therefore, needs to be on the backend – deciding how exactly to segment these networks off.

Professional grade wireless infrastructure like the Cisco 5500 or Motorola RFS7000 is capable of two completely separated WLANs using the same equipment, which is a commonly used technique in such a design.  The infrastructure has an internal firewall that is used to prevent traffic from crossing between the two networks, and can use VLAN tagging to carry back to the main network using a shared WAN connection, or can use two entirely separate WAN connections.  Either way, the infrastructure is functioning as the separation device.  This also generally needs to be backed up with a firewall on the wired infrastructure side, restricting the data flows from the segmented WLAN into the enterprise.

Another alternative is to use two entirely separate pieces of hardware, with two separate physical connections back to the enterprise.  Depending on the needs of your organization, this may be required; if two physically separated wired LANs are deployed, bridging them with a WLAN device may not align with the networking vision.

The type of protection necessary for the the segmented data network again comes down to the technology available.  For data subject to technical compliance concerns, such as PCI-DSS or HIPAA, the stronger the better.  At minimum, WPA2-AES with pre-shared keys can suffice, although a certificate-based authentication solution is always preferable from a strict data security perspective.

If the network is being segmented due to equipment that cannot support strong encryption and authentication technologies, use the strongest available.  Unfortunately, many types of legacy equipment used in warehouses today cannot support WPA2-AES, or even WPA-TKIP – some may be stuck using WEP!  The weaker the level of protection, the more careful your segmentation on backend should be.

Guest Internet Access

Guest internet access generally is provided by a “hotspot”.  Users connect to an unencrypted network, and are sent to a captive portal page, where they can either login with pre-assigned credentials, or accept a terms of service and proceed without any credentials necessary.  Either way, authentication on such a network is accomplished only at the application-level, and there is no data protection provided by the WLAN itself.  As such, these networks should be treated as untrusted and kept firmly segmented from the enterprise, using the techniques described above.

A popular alternative deployment method for hotspot guest wireless networks is to use an entirely separate physical network for guests.  This can dramatically increase the infrastructure costs, but it accomplishes pure segmentation.  A typical use case for this type of physical segmentation would be a cafe or retail environment that wants to provide guests internet access, but doesn’t want to expose any of their business network.  Purchase a separate internet backhaul and configure a Wireless LAN dedicated to this network only.

If your business is subject to compliance regulations, such as PCI, I would strongly recommend using a physically segmented network for guest access.  While this increases capital expenses, it makes scoping activities related to compliance dramatically simpler.  When dealing with auditors, it is always advisable to have clear-cut boundaries around your critical data, and physically isolating any guest network is an easy way to do so.

Summary

Both of these network types rely on the network administrator segmenting the WLAN from the rest of the network.  It’s temping to plug an access point into an unmanaged switch and have the wireless “just work”, but this can open the network to many avenues of attack.  Assume the worse case at the beginning – that your WLAN is compromised – and design its place in the overall enterprise network to minimize the damage that an attacker could do from there.

Quick and Easy Portable Media Encryption

Posted by Walter Goulet on February 25, 2010 1 comment

As part of my personal service delivery process, I have a need to store sensitive information for client engagements (vulnerability assessment results, network diagrams etc). To avoid having a dependency on specific test systems, I prefer to use portable USB drives to store data in the event that I need to switch to another system. However, I don’t want to risk losing this drive with confidential data on it. My solution is to create an encrypted partition on the disk in such a fashion that I can quickly mount the drive on another system without downtime.

To meet these requirements, I use a combination of Dropbox (http://www.dropbox.com), Keepass (http://keepass.info/), and Truecrypt (http://www.truecrypt.org/). I use Dropbox as a portable ‘Program Files’ directory where I install portable versions of Keepass and Truecrypt. This allows me to have my ‘Program Files’ directory replicated on all systems where the Dropbox client is installed (for backup purposes, I usually have my Dropbox account synchronized to 2 different systems).

I use Truecrypt to create an encrypted partition on the USB drive (using AES for encryption and HMAC-SHA-512 as a hash algorithm). The volume key used to encrypt/decrypt the partition is then stored as a password in my Keepass database (which is also stored in my Dropbox).

As long as the Dropbox is synchronized between my test systems, switching from one system to the other is as simple as plugging the USB drive in and launching Truecrypt/Keepass from my Dropbox.

Here’s my step by step instructions to replicating this setup on a Windows XP/Vista/7 system (I assume you already have Dropbox installed on your system):

  1. Create a ‘Programs’ directory in your Dropbox folder. In this folder, create 2 subdirectories, ‘Keepass’ and ‘Truecrypt’.
  2. Copy the portable versions of these programs into their respective folders (Truecrypt does not have an explicit ‘portable’ distribution, rather download the setup file here and choose the ‘Extract’ option when running the setup, Keepass on the other hand provides a portable version that can be downloaded here).
  3. Launch Keepass and create a new password entry for the portable drive. I suggest using the Password generator function to generate the password. Note that since this password is used as an encryption key, I recommend selecting all available characters for generating the password and using the maximum key length (64 characters).
  4. Plug in the portable USB drive that will contain the encrypted partition (note: this has only been tested with USB hard drives; I have not tested this with smaller USB flash drives).
  5. Launch TrueCrypt and use the ‘Create Volume’ button to launch the new volume creation wizard. I recommend writing down the path to the volume being created to make it easier to mount later. For my personal setup, I chose to create a regular (non-hidden) partition using AES and SHA-512 for encryption and as a hash algorithm. When prompted for the volume password, use the password entry created in Keepass.
  6. The volume is now created!

To actually mount the encrypted partition, start Truecrypt and select an available drive entry. Select the encrypted volume from the Volume list then click ‘Mount’. When prompted, enter the password from the Keepass password entry.

Note that regardless of which system was used to create the encrypted partition, you can mount it on any other system as long as you have access to Truecrypt and your volume password.

Information Leakage via Delicious

Posted by Jon Janego on July 10, 2009 3 comments

By now, the concept of “google hacking” is pretty commonly understood.  People may not be preventing it very well, but it’s moved beyond a new thing.

For the uninitiated, though, here’s a brief summary: using Google (or any other search engine – but really, is there any other?) to find vulnerable web apps, personal information, mp3s in public directories, etc etc.  It’s great fun, and a pretty fundamental initial step of profiling an attack target.

Johnny Long was one of the main evangelists of this method and has a great database of search terms.  It’s no longer actively maintained, but you can still find plenty of good information with this as a starting point!

So Google hacking is great, but it only gets you to the public internet.  What if I wanted to profile the inside of a company, from the outside?  And passively – without hitting their servers myself?  Wouldn’t it be great if I could look for public information shared by company insiders?

Delicious seems almost perfectly designed to do this kind of activity.  For the unfamiliar, delicious is an online bookmarking site, designed around the idea that sharing bookmarks is a great way to learn about new sites.  Which is an alright idea…  but don’t people also bookmark a lot of private information?  I sure do!

Making matters worse, delicious encourages users to get started by uploading their browser bookmarks.  Essentially uploading gobs of potentially personal data to a public site.  This is a classic case of information leakage.  A dedicated attacker can use this public information to get all sorts of juicy tidbits about a company.

Let’s do some examples.  This all works great in theory, but, like Google, there is a LOT of data to sort through.  Say I’m a bad guy interested in insider information about a company.  I can start looking for the basics – say… “intranet”.  Delicious makes this easier by encouraging users to tag their posts for easy categorization:

http://delicious.com/tag/intranet

So that gives me everything that users have tagged with ‘intranet’.   Lots of sites about intranet design, usability, etc.  But also sites tagged by users to manage their own bookmarks!  So I’ll start digging into an individual company… how about AMD?

http://delicious.com/search?p=amd&u=&chk=&context=recent&tag=intranet

intranet_amd

The first result doesn’t look interesting, but the second and third, well those sound like intranet sites!  This is confirmed by trying to follow them through and the DNS not resolving.  Nice!  Now let’s see what else this presumed AMD employee has bookmarked…

links_1

Wow, lots of development related links!  Interesting.  And what’s that link on page 2 about “AMD Manager Toolkit” ??  This fellow looks like he’s a technical manager at AMD!

Dig a little deeper, and it looks like we have another intranet site – mentioning the (presumably internal) code name of a project.  Interesting!  Go further into the links, and you see even further links to internal project Wiki pages.

links_2

Surfing around to a few of the non-intranet sites gives me an even better profile of this person.  They work with unit testing.  They use UML, C++, and Ruby, and read a lot about circuit design.  They live in India.  They’re learning guitar, and are interested in martial arts.

This may seem like innocent information to an outsider, but if I was doing this for espionage purposes, I just learned a lot about the internal operations of a project – and this is with 10 minutes of work on one webpage.  What else could I find if I dug through the internet further?

Web 2.0 is a lot of fun, and can be really useful.  But what’s often overlooked are the implications of sharing all this information.  Unless you make it a point to protect your privacy, that privacy probably doesn’t exist.  And for businesses, this can be a major potential risk.

Delicious certainly doesn’t help stop this – according to the FAQ, you cannot make your links private by default, but instead must manually edit them to make them private.  And also, the TOS leaves responsibility entirely in the hands of the users.  Very laissez-faire!

Should companies ban employees from using sites like delicious?  Probably not.  But I think that this demonstrates that employees need to be more educated on what they are exposing themselves and their employer to when using social networking sites.

No WPA2 With Windows Wireless Zero Config??

Posted by Jon Janego on June 8, 2009 1 comment

Wow – I would never have thought that in this day and age, a major vendor like Microsoft wouldn’t fully implement a spec.  However, in the case of WPA2 it looks like that they did exactly that – at least until 2005.

BUT making things more interesting- this was an “optional” update with XP SP2, until it was finally rolled into XP SP3.  There is a hotfix for XP SP2 machines in order to support WPA2 – KB 893357.

WPA2/AES didnt’ really become widely implemented until 2006, but it was in the 802.11i spec that introduced WPA in 2004.  For a major vendor like MS to not implement it is pretty crazy.  But then again I, as a wireless security professional, didn’t setup a WPA2/AES network in my home until last month.  So maybe they were onto something.

Anyways, if you’re using XPSP2 and a WPA2 network – you need the hotfix, or XPSP3+.  Good luck out there!  I really recommend moving to WPA2/AES, especially considering the improvements in the Nvidia CUDA drivers that are allowing TKIP to be broken in an increasingly short amount of time.

HOW-TO: Cutting edge wireless drivers in Ubuntu

Posted by Ben Hagen on January 28, 2009 3 comments

MADWIFI has been the wireless driver of choice for wireless hacking for quite a while, but recently a lot of development time has been moved to the official kernel wireless subsystem drivers. They are slowly gaining and surpassing MADWIFI’s functionality, and are generally more supported and stable. One downside to these drivers is that recompiling the kernel is time and labor intensive and waiting for a distro’s kernel update can put you behind the curve in recent driver functionality.

The COMPAT-WIRELESS project pre-packages the latest wireless code as loadable kernel drivers on a (near) daily basis. This is a convenient way to download pre-patched and archived source… but in order to get the most recent changes (as they are committed) you have to pull the source directly from the kernel.org GIT tree. GIT is a code versioning system similar to CVS, SVN, Bazaar, etc. Below is a simple example of how to do this and compile / install the code. I’m writing this from an Ubuntu installation, but the same concepts should work on other distros. This isn’t an especially difficult process, but it isn’t necessarily obvious either.

There are a few prerequisites for the below instructions to work correctly:

  • Kernel greater than 2.6.21

  • Kernel headers (“apt-get install linux-headers-generic” in Ubuntu)

  • Build tools (“apt-get install build-essential” in Ubuntu)

1. Make a new directory and clone the source trees:

mkdir wireless-testing
cd wireless-testing
git clone git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-testing.git
git clone git://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/compat-wireless-2.6.git

2. Make the packages

cd compat-wireless-2.6
export GIT_TREE=../wireless-testing
scripts/admin-update.sh
make

3. Install

cd compat-wireless-2.6
sudo make install

4. Update and repeat steps 2-3 when you want the latest and greatest

cd wireless-testing
git-pull
cd ../compat-wireless-2.6
git-pull

After step 3 you can try reloading the modules dynamically by running “make unload” and “make load” but this probably won’t work if you’re currently using your wireless drivers. Your best bet is to reboot your machine. You can confirm that you’re running the new(er) drivers by listing your kernel modules and look for the mac80211 module.

lsmod | grep mac80211
modinfo mac80211

If there are problems you can uninstall the drivers by running “make uninstall” from the compat-wireless-2.6 directory. Hope this is helpful!