Information Security: 2020

2 Aug 2020

Secure SDLC

It has always has been the way, when we think of Security after we have been Compromised. Then why not think of Security during the building phase of an application.

This is where DevSecOps comes in where Secure Software Development Life Cycle (SDLC) takes place.

It is a process in the design which consists of Training, Risk analysis, code scanning, penetration testing and vulnerability management.

Below are the steps which requires a walk though during the time of Development and also in post development.

( Steps can be shorten and added depending upon the requirement. )

This tells us the What, When and Why of the Secure SDLC.

Step 1: Provide Training to the Developers

What: Basic training of Web application Security, like OWASP Top 10, Network protocols, Attack vectors, encryption, CIA Triad

When: Before any development

Why: Because, it gives Developer an perspective of the attack which can happen due to poor coding and weak logic

How: OWASP Top 10, CIA Triad, Networking protocols.

Step 2: Design Requirement

What: This gives an big picture of the application which is to be build.

When: During the the time of development. ( Planning Stage)

Why: This will help us in placing the security tools accordingly.

How: Approved Libraries and Cryptography, Input Sanitization, MFA.

Step 3: Product Risk Assessment

What: Analysis of the 3rd party and open source tools before using them

When: During the Network architecture. ( Planning Stage)

Why: To have the control over the tool used according to the application functionality.

How: Project dependencies, vulnerability fixes or patching

Step 4: Risk Analysis

What: To follow the CIA triad and to risk validation.

When: During the Planning Stage

Why: To help us with the Risk and give us an compliant application.

How: Mitigate the high risk as soon as possible. DeAnonymization, Data Breach, Data loss, Data corruption.

Step 5: Threat Modeling

What: It is to analyse the Risk calculate in depth for the Risk assessment and

When: During the planning Stage of Development.

Why: To have an early mitigation and validation of the any identifies threat.

How: Mitigate the Identified threat as soon a s possible and do a validation post mitigation.

Step 6: Documentation

What: Creating Security Documents, tools used and the best practices.

When: During the product development time.

Why: To address the process, milestone,

How: Have a wiki page of bus found and mitigation.

Step 7: Static Application Security Testing

What: Code scanning using the tools for any bug or logical error.

When: During the building stage

Why: So that, we can fix the bugs at the earliest and minimize the false positives Integrate in the CI/CD pipeline so that, we can be notified each time code changes, or new build.

How: SonarQube, Snyk, Veracode, and more. ( Choose as per the application requirement)

Step 8: Dynamic application Security Testing

What: It is to test the application outside of the dev like any attacker will do.

When: When the application is running and code is not available to the the tester.

Why: As it interact with the application from the outside and useful to the company compliant standards

How: Nikto, OWASP ZAP ( Choose as per the application requirement)

Step 9: Product Release, QA

What: It is similar to the DAST but, it involves with other factors like, OS vulnerabilities, Hardware configurations, and social engineering.

When: Generally company outsourced the testing if they don't comprise the in-house resources. In order to find the vulnerabilities in firewalls, servers, open ports, routers.

Why: Breaking things before a Hacker do.

How: Burp proxy, Nessus

Step 10: Deploy and Monitor

What: It is to collect the logs and send them to the SIEM system is useful to detect any abnormalities and live attack which can be prevented and alerted.

When: After the product has been deployed in the endpoint(s).

Why: It gives us the 24*7 window to the malicious activities and that which can be carried out by Incident response team.

How: Involve Incident Response team for integrating the application with the SIEM solution.

Ref :

https://github.com/tanprathan/OWASP-Testing-Checklist

https://owasp.org/www-project-web-security-testing-guide/assets/archive/OWASP_Web_Application_Penetration_Checklist_v1_1.pdf

https://www.sans.org/reading-room/whitepapers/bestprac/paper/36872

https://cheatsheetseries.owasp.org/IndexASVS.html

18 Apr 2020

Python package to find SSL/TLS version of a Host. You can modify the script for host, and get the SSL/TLS version number in order to find their vulnerabilities.

Follow this below link, to get your package ready :

https://khirawadhi.blogspot.com/2018/04/how-to-build-python-package-and-keep.html

After setting up, use this in your script to get the ssl/tls version number.

1) This is your __init__.py script

#! usr/bin/python

import socket
import nmap

def printSSL(h):
host = h
addrs = socket.gethostbyname(host)

nm = nmap.PortScanner()
nm.scan(hosts= addrs, arguments='-n -sV --script ssl-enum-ciphers -Pn -p 443')
ssl = nm[addrs]['tcp'][443]['script']['ssl-enum-ciphers']

for item in ssl.split("\n"):
if "TLSv" in item:
version = item.strip()
print ("SSL/TLS Version of " + str(host) + " is %s" % version)

2) This is your setup.py script

from setuptools import setup

setup(name='SSL_Scanner',
version='0.1',
description='Version Scanner',
url='http://maddog.com',
author='Hooman',
author_email='hooman@example.com',
license='CAT',
packages=['SSL_Scanner'],
zip_safe=False)

3) Install twine to register the package

# pip install twine

4) Register your package

# python setup.py sdist

5) Upload your package to PYPI

# twine upload dist/*

6) pip install this package

# pip install SSL_Scanner

7) Use the package in your script

>>> import SSL_Scanner
>>> SSL_Scanner.printSSL("yahoo.com")
or
>>> SSL_Scanner.printSSL("bingo.com")

There you have it, above script(s) will give us the list of ssl/tls version number which can further be used to get the vulnerabilities of an host.

How to build python package and keep your sanity

Python is a cool language, we can do near to everything, whether to run a Hello World to developing a tool. Here we'll see how to create your own sample python package in easy steps.

1) Package Structure (Very Important )

your_directory/
sub_directory/
__init__.py
setup.py
e.g.,
sample/
sample/
__init__.py
setup.py

2) Create __init__.py file

We need __init__.py file, to initialize the python package and to differentiate from other files.
This file contains only the function to be executed. e.g,

def hello( ):
return (u'Hello Evil Wolrd')

3) Create setup.py file

This is very important file , it contains a global setup( ) function. It gives specific details of your package.
Create a setup.py file in the main directory and outside sub-directory and write the following below

from setuptools import setup

setup(name='Sample',
version='0.1',
description='Sample Demo',
url='http://maddog.com',
author='HocusPocus',
author_email='Hocus@example.com',
license='DEMO',
packages=['Sample'],
zip_safe=False)

4) pip install < . >

This will install your package on your local system. (This can only be used locally. )

# pip install .

Remember there is ( . ) at the end of the command.

5) Use twine, for your package.

# pip install twine

6) Register your package in PYPI

Now to make your package available globally, register your package into PYPI. Go to the directory containing setup.py file and sub-directory and run the following :

# python setup.py sdist

This will generate a zip file of your package as source distributor.

# twine upload dist/*

This will upload your package to PYIP.

Ihis command will ask for user name and passwd. Give a username and passwd, and it will upload your package to PYPI.

Check: https://pypi.org/project/<your_package_name>

Whether your package exists or not.

7) pip install <your_package_name>

This will install your package from anywhere to any machine, as long it has python installed.

# pip install <your_pacakge_name>

There you have it, your python package.

17 Apr 2020

What is Snort Rule and How to write one ?

What is Snort Rule ?
It is a Network Intrusion Detection and Prevention System which uses Rules.

These rules are the combinations of the signatures, protocols, inspection method like expected malicious behaviour in the network like DDOS, Buffer overflow, OS Fingerprinting, stealth scan.

It also does real time analysis of the network traffic. It uses libpcap for linux/unix environment and for windows it uses winpcap.

How to write Snort Rule ?
It contains Rule Header and Rule Option.

Rule Header:
It identifies actions such as alerts, logs, passwords.

Rule Action : It is used to tell what actions to take when certain conditions are met.
Pass : It tells Snort Rule to ignore the packets.
Log: It is used to Log the packets.
Alert: It is used to generate a alert message when conditions are true for a traffic.
Activate: It is used to create a alert and also activate another rule to check for more conditions.
Dynamic: These rules are triggered by a different rule using activate rule option.
User Defined Action: It is used to create a our own rule option(s).

Rule Option :
It identifies rule alert's message.

Message: It is used to log the packets and alert when a rule is fired.
Reference: It includes the reference to the external attack identification system.
Generator ID: It identifies what part of the snort rule to fired when certain event has occurred.
Snort Rule Id: It uniquely identifies the snort rule.
Revision: It uniquely identifies the revision of snort rule.
ClassType: It is used to categorize a rule as it detects a attack from the attack class.
Priority: It is used to assign the security level to the rule.
Metadata: It is used to give more information to the Rule.

Examples :

alert tcp any any -> any 80 ( msg: "TCP Traffic alert"; content: "login"; flags:s; sid:100;)

alert udp any any -> any any ( msg: "UDP Traffic alert"; content: "login"; sid:101;)

alert : It is a Rule Action. Snort will generate the alert when the conditions are satisfied.
any : It's for Source IP address. By setting it as "any", snort will look for all the source IP's.
any : It's for Source Port number. With "any", snort will look in all the ports.
-> : It's for the direction to flow. From Source to Destination.
any : It's for Destination IP address. By setting it as "any", snort will look for all the destination IP's.
any : It's for Destination Port number. With "any", snort will look in all the ports.

msg : It contains the message with the alert.

content : It tell rule, on what action this rule should be fired.

flags : It's used to define the type of flag to look upon.

sid : It is a snort unique ID for that rule.

Let's see our Rules in Action:

Example 1)

alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:1001; rev:1; classtype:icmp-event;)

This is simple example of Snort Rule, which generate alert when we perform icmp request and get icmp response back to home network, aka Ping.

We ping to google dns ( 8.8.8.8 ) in terminal :

Check Squirt in Security Onion for Snort alert.

Let's see some more Examples:

Example 2)

Snort Rule For EternalBlue Vulnerability:

Refer to the previous blog "Eternalblue vulnerability" to perform exploit on SMB.

There we have captured the pcap and we can see that, there we've got lots of 'A' character in the pacp

We will use the hex value of this 'A' character which is '41' in our snort rule, as it is more efficient then ACSII value. We have 1449 'A' characters, so we will put 1449 '41' inside our rule.

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Possible buffer overflow attempt over port 445."; content:"|4141...14141|";sid:10000006; rev:1;)

As you can see, in our Security Onion, Squirt is able to fired up our Rule:

Example 3)

Snort Rule For Heartbleed Vulnerability:

Follow this link below to perform exploit with Heartbleed vulnerability.

( https://khirawadhi.blogspot.com/2018/03/exploitation-heartbleed-vulnerability.html )

Here in the pcap, we can see the data flow in plain text. We will use that info in our rule.

alert tcp $External_NET 443 -> $HOME_NET any (msg:"Plaintest HTTP headers User-Agent and Host detected over port 443 (response from server).";flow:from-server, established; content;"User|2d|Agent"; content:"Host|3a|"; sid:10000008; rev:1;)

Here, you can see, our snort rule for Heartbleed vulnerability is being fired in Squirt, Security Onion :