aka wow on ZATAZ.com
Posts tagged Cloud
Metasploit VMware Auxiliary Modules
01 week ago
in Metasploit
Metasploit provide some VMware auxiliary modules who will permit you to fingerprint, gather information’s, enumerate users/groups/permissions, enumerate or terminate user administrative sessions, enumerate virtual machines hosted on ESX/ESXi and power on/off virtual machines.
You can find all these auxiliary modules through the Metasploit search command.
VMWare ESX/ESXi Fingerprint Scanner (esx_fingerprint)
To invoke this auxiliary module just type the following command :
This module attempt try to access to VMware ESX/ESXi Web API interfaces and attempts to identify the running version of ESX/ESXi. Web API interfaces are running on port 443/TCP with “/sdk” default URL, also all connections are encrypted in SSL.
You can run this module against multiple hosts by defining the “RHOSTS” variable. “RHOSTS” variable could be a unique IP address, an IP addresses range (ex : 192.168.1.0-192.168.1.255, or 192.168.1.0/24) or a file (ex : file:/tmp/ip_addresses.txt). Also in order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable.
VMWare Authentication Daemon Version Scanner (vmauthd_version)
To invoke this auxiliary module just type the following command :
This module will gather information’s about an ESX/ESXi host through the vmauthd service on port 902/TCP.
You can run this module against multiple hosts by defining the “RHOSTS” variable. “RHOSTS” variable could be a unique IP address, an IP addresses range (ex : 192.168.1.0-192.168.1.255, or 192.168.1.0/24) or a file (ex : file:/tmp/ip_addresses.txt). Also in order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable.
VMWare Web Login Scanner (vmware_http_login)
To invoke this auxiliary module just type the following command :
This module attempts to authenticate to the VMWare HTTP service for VmWare Server, ESX, and ESXi.
You can run this module against multiple hosts by defining the “RHOSTS” variable. “RHOSTS” variable could be a unique IP address, an IP addresses range or a file. This module is also attempting to authenticate using username and password combinations indicated by the “USER_FILE“, “PASS_FILE“, and “USERPASS_FILE” options. You can use SkullSecurity password lists. Also in order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable.
All valid user and password combinations are in green, invalid login are in red.
VMWare Authentication Daemon Login Scanner (vmauthd_login)
To invoke this auxiliary module just type the following command :
This module will test vmauthd logins on a range of machines and report successful logins.
You can run this module against multiple hosts by defining the “RHOSTS” variable. “RHOSTS” variable could be a unique IP address, an IP addresses range or a file. This module is also attempting to authenticate using username and password combinations indicated by the “USER_FILE“, “PASS_FILE“, and “USERPASS_FILE” options. You can use SkullSecurity password lists. Also in order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable.
All valid user and password combinations are in green, invalid login are in red.
VMWare Enumerate Host Details (vmware_host_details)
To invoke this auxiliary module just type the following command :
This module attempts to enumerate information about the host systems through the VMWare web API.
You can run this module against multiple hosts by defining the “RHOSTS” variable. “RHOSTS” variable could be a unique IP address, an IP addresses range or a file. You have to provide a valid “USERNAME” and “PASSWORD“. In order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable. Also, you can enumerate hardware details of the host by setting the “HW_DETAILS” option to “true“.
VMWare Enumerate User Accounts (vmware_enum_users)
To invoke this auxiliary module just type the following command :
This module will log into the Web API of VMWare and try to enumerate all the user accounts. If the VMware instance is connected to one or more domains, it will try to enumerate domain users as well.
You can run this module against multiple hosts by defining the “RHOSTS” variable. “RHOSTS” variable could be a unique IP address, an IP addresses range or a file. You have to provide a valid “USERNAME” and “PASSWORD“. Also, in order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable.
VMWare Enumerate Permissions (vmware_enum_permissions)
To invoke this auxiliary module just type the following command :
This module will log into the Web API of VMWare and try to enumerate all the user/group permissions. Unlike “vmware_enum_users” auxiliary module this is only users and groups that specifically have permissions defined within the VMware product.
You can run this module against multiple hosts by defining the “RHOSTS” variable. “RHOSTS” variable could be a unique IP address, an IP addresses range or a file. You have to provide a valid “USERNAME” and “PASSWORD“. Also, in order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable.
VMWare Enumerate Active Sessions (vmware_enum_sessions)
To invoke this auxiliary module just type the following command :
This module will log into the Web API of VMware and try to enumerate all the login sessions.
You can run this module against multiple hosts by defining the “RHOSTS” variable. “RHOSTS” variable could be a unique IP address, an IP addresses range or a file. You have to provide a valid “USERNAME” and “PASSWORD“. Also, in order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable.
Unfortunately this module is not working with VMware ESXi 5.0
VMWare Terminate ESX Login Sessions (terminate_esx_sessions)
To invoke this auxiliary module just type the following command :
This module will log into the Web API of VMWare and try to terminate user login sessions as specified by the session keys.
You can run this module against one host by defining the “RHOST” variable. You have to provide a valid “USERNAME” and “PASSWORD“. Also you have to provide a session key identified by the previous “vmware_enum_sessions” auxiliary module by defining the “KEYS” variable.
Unfortunately this module is not working with VMware ESXi 5.0
VMWare Enumerate Virtual Machines (vmware_enum_vms)
To invoke this auxiliary module just type the following command :
This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.
You can run this module against multiple hosts by defining the “RHOSTS” variable. “RHOSTS” variable could be a unique IP address, an IP addresses range or a file. You have to provide a valid “USERNAME” and “PASSWORD“. Also, in order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable. By defining the “SCREENSHOT” variable, the auxiliary module will try to take a screenshot of the running VM.
VMWare Power On Virtual Machine (poweron_vm)
To invoke this auxiliary module just type the following command :
This module will log into the Web API of VMWare and try to power on a specified Virtual Machine.
You can run this module against one host by defining the “RHOST” variable. You have to provide a valid “USERNAME” and “PASSWORD“. Also you have to provide a virtual machine name identified by the previous “vmware_enum_vms” auxiliary module by defining the “VM” variable (for example : set VM CentOS 5.8 i386).
VMWare Tag Virtual Machine (tag_vm)
To invoke this auxiliary module just type the following command :
This module will log into the Web API of VMWare and ‘tag’ a specified Virtual Machine. It does this by logging a user event with user supplied text.
You can run this module against one host by defining the “RHOST” variable. You have to provide a valid “USERNAME” and “PASSWORD“. You have to provide a virtual machine name identified by the previous “vmware_enum_vms” auxiliary module by defining the “VM” variable (for example : set VM CentOS 5.8 i386). Also you have to provide a message through the “MSG” variable.
VMWare Power Off Virtual Machine (poweroff_vm)
To invoke this auxiliary module just type the following command :
This module will log into the Web API of VMWare and try to power off a specified Virtual Machine.
You can run this module against one host by defining the “RHOST” variable. You have to provide a valid “USERNAME” and “PASSWORD“. Also you have to provide a virtual machine name identified by the previous “vmware_enum_vms” auxiliary module by defining the “VM” variable (for example : set VM CentOS 5.8 i386).
Should Dropbox be Shutdown for Spreading Mass Malwares ?
12 months ago
in Various
Blog posts on Symantec and ThreatPost have point the fact that Dropbox is used by bad guys to spread spam and phishing campaigns and also malwares. All theses malwares, files used in phishing and spamming campaigns coming from the “Public Folder” of malicious Dropbox accounts. Any file put in this folder gets its own Internet link so that he can be shared with others. Examples of malwares spread by Dropbox :
http://dl.dropbox.com/u/58336523/x/login.php, PHP/IRCBOT used in remote file inclusion campaigns.
http://dl.dropbox.com/u/63038576/Script.exe, WORM/Ainslot.A.1946 used in infection campaigns.
The problem is that Dropbox is not spreading malwares since few days. If you take a look at Clean MX database, Dropbox is present since 2010-04-19, with an explosion of malwares in 2011. The fact that Dropbox spread malwares is real and it is the case since long time. Dropbox is also present in Malc0de database since 2012-02-26.
Compared to other malware spreaders, Dropbox has a privileged status. For example, in November 2011, FileAve.com a free file hosting provider notorious for spreading thousands of malwares were shutdown after years of activities. FileAve.com have provide 50 MB free storage and a free sub domain for each created account (ex : http://yourname.fileave.com). FileAve.com was present in Clean MX database since the 2007-11-30, in Malc0de database since the 2010-01-11 and in our database since the 2009-02-16. The shutdown of FileAve.com was a good news for every one.
We can ask us a legitimate question, should Dropbox be shutdown, same as for FileAve.com ? Aren’t they both malware spreaders ?
Cloud or not to Cloud ?
01 year ago
in Various
Le Cloud est un sujet à la mode depuis déjà quelques années, mais pour ceux qui ne savent pas encore ce qu’est le Cloud, un petit rappel bref n’est pas inutile.
Vous utiliser, la majorité d’entre-vous, les services de Google, tels que Google Mail, Google Calendar, Google Docs, Skype, etc. Tous ces services sont des services “Cloud”. Vous n’avez plus à vous soucier d’installer un serveur de mail pour votre entreprise, Google vous l’offre et prend en charge l’administration et les évolutions du service. Vous n’avez plus besoin d’installer un logiciel du type Outlook pour gérer vos contacts et vos rendez-vous, Google Mail et Calendar répondent à vos besoins. Pourquoi installer Microsoft Office, Microsoft et Google vous propose gratuitement ou de louer à la demande ces suites de logiciels bureautique. Les domaines d’applications du Cloud peuvent se multiplier à l’infinie.
Pour une entreprise, l’avantage économique du Cloud se situe à ne plus à avoir de dépenses d’investissement de capital (CAPEX) sur le hardware, les logiciels, etc. De ne plus avoir besoin d’une escouade d’informaticiens interne, car toute l’administration et la gestion quotidienne sont délocalisées chez le fournisseur de service “Cloud”.
Beaucoup de souplesse, d’agilité, d’intérêts financier dans le Cloud, mais pour autant la mutualisation des infrastructures, des logiciels à aussi comme contrepartie de délocaliser et de mutualiser les risques. Est-ce que vos données d’entreprises sont bien séparées des données d’autres entreprises, est-ce que les personnes qui accèdent à vos données sont bien autorisées à le faire, est-ce que les locaux et ressources du fournisseur sont bien protégées contres des accès physiques frauduleux, est-ce que vos données seront toujours accessible pour que vous puissiez continuer à travailler à n’importe quel moment, est-ce que les lois en vigueur pour votre fournisseur sont conformes à vos obligations légales ? Etc.
Il suffit simplement de se projeter une semaine en arrière pour voir que la délocalisation et la mutualisation des risques est effectivement un facteur à prendre en compte lorsque l’on veut se lancer dans une expérience “Cloud”.
Skype, par exemple, a subit cette semaine une journée entière de perturbation, empêchant quelques dizaines de millions d’utilisateurs de pouvoir tous simplement téléphoner … Les entreprises basant leurs appels uniquement sur Skype ont bien sûr mal évalués, ou omit, le risque encouru de la perte de ce canal de communications. Il est toujours nécessaire de penser à une roue de secours.
Encore cette semaine, Microsoft a reconnus que des données de sociétés clientes du service BPOS (Business Productivity Online Suite) ont vu celles-ci se voir accéder par des utilisateurs d’autres sociétés. Malheureusement Microsoft n’est pas dans la possibilité de savoir depuis combien de temps ces accès ont pu avoir lieu.
Le Cloud sera de toute façon la prochaine évolution forcée de l’informatique grand publique et professionnelle, mais plutôt que de vous lancer tête baisser dans l’aventure, n’oubliez pas d’évaluer vos risques.
Remote File Inclusion in Google Cloud – nurhayati satu
01 year ago
Every know the Cloud security problematic, and the associated issues how are more and more visible. In July 2008 Outblaze and Spamhaus blocked Amazon EC2 Public IP ranges due to distribution of spam and malware. In April 2009 Arbor Networks reported that a malicious Google AppEngine was used as botnet CnC. In April 2010, VoIP Tech Chat has reported some Amazon EC2 SIP brute force attacks, until abuse report to Amazon EC2 the attacks have still continue in May, etc.
In March 2009, our Honey Net reported us a malicious Remote File Inclusion code hosted on a Google Sites, how was invoked in few events. The Google Sites was called “nurhayati satu“, an Indonesian surname and first name. The invoked malicious script was “http://sites.google.com/site/nurhayatisatu/1.txt???“.
| RFI IP | Total num. events | Total src IPs | First seen | Last seen | Livetime (day’s) |
|---|---|---|---|---|---|
| 209.85.229.102 | 145 | 11 | 09/03/2009 00:42:03 | 05/07/2010 15:41:52 | 483 |
| 209.85.229.101 | 112 | 7 | 01/05/2010 11:17:52 | 2010-07-06 18:57:38 | 66 |
| 209.85.229.100 | 106 | 6 | 2010-06-13 04:01:21 | 2010-07-06 18:38:57 | 23 |
| 74.125.87.102 | 11 | 2 | 2010-06-15 03:07:56 | 2010-06-15 03:31:06 | 0 |
| 74.125.87.139 | 1 | 1 | 2010-06-15 03:07:56 | 2010-06-15 03:07:56 | 0 |
| 74.125.87.100 | 11 | 2 | 2010-06-15 03:07:56 | 2010-06-15 03:31:06 | 0 |
| 74.125.87.113 | 2 | 1 | 2010-06-15 03:07:56 | 2010-06-15 03:53:01 | 0 |
| 74.125.87.138 | 11 | 2 | 2010-06-15 03:09:21 | 2010-06-15 03:31:06 | 0 |
| 74.125.87.101 | 2 | 2 | 2010-06-15 03:09:21 | 2010-06-15 03:53:28 | 0 |
| 209.85.227.102 | 2 | 1 | 2010-06-20 00:53:43 | 2010-06-20 01:12:42 | 0 |
| 209.85.227.139 | 1 | 1 | 2010-06-30 03:45:11 | 2010-06-30 03:45:11 | 0 |
| 209.85.227.100 | 1 | 1 | 2010-06-30 03:44:17 | 2010-06-30 03:44:17 | 0 |
| 209.85.227.113 | 1 | 1 | 2010-06-30 04:03:05 | 2010-06-30 04:03:05 | 0 |
| 74.125.77.102 | 10 | 2 | 2010-06-30 11:42:23 | 2010-07-06 15:01:48 | 6 |
| 74.125.77.100 | 10 | 2 | 2010-06-30 11:42:23 | 2010-07-06 14:49:53 | 6 |
| 74.125.77.101 | 9 | 2 | 2010-06-30 11:42:24 | 2010-07-06 15:01:48 | 6 |
Between March 2009 and May 2010, no more sign of life of this Google Sites. But since May the number of events have increase and we could distinguish the apparition of the “Cloud” phenomena. “nurhayati satu” Google Sites has now around 16 IP addresses associated as hosting server and all these IP addresses are owned by Google Inc. The involved CIDR’s are 209.85.128.0/17 and 74.125.0.0/16.
It is interesting to visualize the interactions of the attackers source IPs (in blue) with the Google Sites Cloud destination IPs (in green).
Google Sites Cloud RFI
You can see that the attackers source IPs are not dedicated to one hosting server IP, but are also invoking the “Cloud” IPs.
Between the search engine of the “nurhayati satu” Google Sites you can find other hosted classical scripts, scanners, tcl, etc.
Every one of you know the Google results labelled ‘This site may harm your computer‘.
It will be funny if Google Sites themselves will be labelled, but more seriously should we declare Google Sites to Dshield, Abuse.ch or Emerging Threats ? Should we block Google, cause Google is delivering some malwares between his Cloud infrastructure, and no one care 
Les solutions Cloud ne sont pas “compliant” avec PCI
02 years ago
in Various
Malgré toutes les bonnes volontés, il ne se passe pas un jour sans que l’on retrouve des données bancaires sur Internet, soit par le biais d’un piratage, soit tous simplement par le biais d’un “Google Hacking“. Ces données bancaires dérobées et exploitées par des pirates informatiques mettent à mal le commerce électronique et la confiance des internautes dans les paiements en ligne.
Vous connaissez sûrement tous le standard PCI qui promeut la protection des données de paiement tels que vos données personnelles, vos identifiants et surtout votre numéro de carte bancaire, sa date d’expiration et son cryptogramme visuel. Le forum PCI Security Standards Council a élaboré desstandards de sécurité qui nécessitent des pré-requis pour la gestion quotidienne de la sécurité, autant en terme technique, qu’en terme de règles de sécurité et de processus.
De plus en plus d’entreprises, ont alors décidées de rejoindre le forum PCI et de se faire certifier compliant PCI-DSS, afin de redorer leurs images et des redonner de la confiance aux internautes envers les paiements en ligne.
Malheureusement, ces mêmes entreprises, dans le même temps, toujours en recherche d’économie d’échelle, se sont montrées très intéressées par les solutions Cloud, tels que les SaaS (Cloud Application), PaaS (Cloud Software Environment) et IaaS (Cloud Infrastructure). De nombreux chercheurs en sécurité informatique, ainsi que de nombreux professionnels de la sécurité doutaient déjà à l’époque de la possibilité d’affirmer qu’une solution Cloud soit complètement sécurisé et compliant avec de nombreux standards.
Amazon avec ses solutions Cloud EC2 et S3 (IaaS), a malheureusement confirmé, en toute honnêteté, qu’il serait impossible pour une entreprise utilisant ses solutions d’obtenir le niveau 1 du standard PCI-DSS si les données bancaires seraient stockées sur ses solutions.
De nombreux autres fournisseurs de solutions Cloud vont malheureusement devoir s’aligner sur les paroles de Amazon afin que les entreprises intéressées par leurs solutions connaissent les risques encourus en terme de sécurité et de normalisations.
Recent Comments