The 14 April 2010, Antisecurity has release a Joomla wgPicasa Component Local File Inclusion (LFI) exploit, published on Exploit Database as EDB-ID 12230. To attract the “bad guys” how will use this exploit, we published the 15 April a news containing, in the URL and the content of the news, some keywords to be the more attractive as possible 🙂 Most of the LFI scanners are using Google dorking methods to find a potential vulnerable target. So let get a good position in Google ranking.
Since the 15 April, we can see that this particular exploit is more targeted than other Local File Inclusion exploits, and the number of events are still increasing until we are one month after the exploit publication.
Joomla wgPicasa SIG 2011067 events for current month
Also, we have some source IP how are really trying to get in 🙂
TOP 10 source IPs exploiting Joomla wgPicasa SIG 2011067 during current monthTOP 20 source countries exploiting Joomla wgPicasa SIG 2011067
So, just one word, Joomla wgPicasa is in the hype, and really if you use Joomla, shutdown your server 🙂
Metasploit has a auxiliary module dedicated to anonymous FTP scanning. I was interest to compare this Metasploit module with Nmap ftp-anon NSE script.
I decided to scan a /19 rang, how represent 8192 IP addresses with the 2 tools, compare the results and the time to do these scans.
Metasploit
Just play with Metasploit cli to have the possibility, without configuring the Metasploit database, to measure the needed time to do the complete scan.
time ./msfcli auxiliary/scanner/ftp/anonymous ConnectTimeout=1 FTPTimeout=1 RHOSTS=xxx.xxx.xxx.0/19 E
By default, the Metasploit ftp_anonymous auxiliary module is single threaded, you can if you want increase the number of thread  by setting the THREADS variable. We will not change this default configuration, cause Nmap is single threaded.  But we will decrease the ConnectTimeout and FTPTimeout advanced configuration to 1 second.
Metasploit has take around 75 minutes to scan all the 8192 IP addresses, and return us 35 anonymous FTP.
With 256 threads, to be fair ^^, Metasploit scans the 8192 IP addresses in 1 minute 27seconds. (LOL)
We had these kinds of results :
[*] aaa.aaa.aaa.aaa:21 Anonymous READ (220 aaa.aaa.aaa.aaa FTP server ready)
[*] Scanned 4075 of 8192 hosts (050% complete)
[*] Auxiliary module execution completed
[*] bbb.bbb.bbb.bbb:21 Anonymous READ/WRITE (220 Welcome to my FTP Server)
[*] Scanned 5045 of 8192 hosts (060% complete)
[*] Auxiliary module execution completed
To test if the anonymous FTP is writable, Metasploit try to create a directory with the MKD command, and if the creation is successful, this directory is directly deleted by the RMD command. If the anonymous FTP is not writable, then he is logically only readable 🙂 In addition Metasploit will also grab the FTP banners of the anonymous FTP server.
Nmap
With Nmap, the following command will permit you to scan anonymous FTP, grab the banner and fingerprint the service, but will not test for you if the anonymous FTP is writable or not.
time sudo nmap -p21 -n -sC -sV –script=banner –script=ftp-anon xxx.xxx.xxx.0/19
Nmap has take around 20 minutes to scan all the 8192 IP addresses, and return us only 11 anonymous FTP.
We has these kinds of results :
Nmap scan report for aaa.aaa.aaa.aaa
Host is up (0.026s latency).
PORT Â STATE SERVICE VERSION
21/tcp open  ftp   ProFTPD
|_banner: 220 aaa.aaa.aaa.aaa FTP server ready
|_ftp-anon: Anonymous FTP login allowed
Service Info: Host: aaa.aaa.aaa.aaa; OS: Unix
Nmap scan report for bbb.bbb.bbb.bbb
Host is up (0.027s latency).
PORT Â STATE SERVICE VERSION
21/tcp open  ftp
|_banner: 220 Welcome to my FTP Server
|_ftp-anon: Anonymous FTP login allowed
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
We have test 2 times the complete scans with Metasploit and Nmap, and we got the same results. What is surprising is the difference between the number of anonymous FTP detected by Metasploit (and verified by hand later) and the results of Nmap.
As suggested by Ron Bowes, I tested a different approach for the Nmap anon-ftp scanning, to increase the time optimization.
First test with :
time sudo nmap -p21 -PS -n –script=ftp-anon xxx.xxx.xxx.0/19
Nmap has finish the scan in 6 minutes and 20 seconds, still more than Metasploit, but no more 20 minutes.
Second test with :
time sudo nmap -p21 -PS -n -T4 –script=ftp-anon xxx.xxx.xxx.0/19
Nmap has finish the scan in 6 minutes and 35 seconds, the -T4 option doesn’t has change anything in term of performances.
Ron has also confirm that nmap anon-ftp LUA script is missing some anonymous FTP, and this randomly.
We have compile a list of more of 5 000 user name how have been used to try to brute force login our HoneyNet servers. This list is updated every day.
Emerging Threats SIG 2001219 create an alert if we have 5 destination port 22/TCP connexions during the interval of 120 seconds. If we see, for example, 10 connexions during the interval of 120 seconds, 2 alerts will be triggered. This SIG could be used to detect SSH Brute Force Attack.
Emerging Threats SIG 2006546 create an alert if the content of the packet in destination of port 22/TCP contain “SSH-” and “libssh”. In addition the alert is triggered if we detect 5 connexions during the interval of 30 seconds. If we see, for example, 10 connexions during the interval of 30 seconds, only 1 alert will be triggered. This SIG could be used to detect SSH Brute Force Attack, but based on strict recognition of tools how are using “libssh”.
Emerging Threats SIG 2006345 create an alert if the content of the packet in destination of port 22/TCP contain “SSH-” and “libssh”. In addition the alert is triggered if we detect 1 connexion during the interval of 30 seconds. If we see, for example, 10 connexions during the interval of 30 seconds, only 1 alert will be triggered. This SIG could be used to detect SSH fingerprinting, but based on strict recognition of tools how are using “libssh”. This SIG is not useful for SSH Brute Force Attack recognition due to the limit type threshold.
In parallel you could correlate theses alerts with your firewall logs and / or SSH daemon logs, to create a real correlated alert. But still the attacker is not logged in your system, these alerts should not have a high priority level, cause most of time these scans are done by bots. Maybe you could add the attacker IP address in a “Suspicious Attacker” list for furthers trends and correlations activities.
Another operation you could do, is to compare the username provided from the SSH brute forcing dictionary with yours existing SSH usernames. If your username is present into the dictionary, we recommend you to change it.
24 hours SIG 2001219 events activities1 week SIG 2001219 events activities1 Month SIG 2001219 events activitiesOne year SIG 2001219 events activities1 Month TOP 10 source IPs for SIG 2001219TOP 20 source countries for SIG 2001219
After the discovery of a new car license plate type, created to fight, with SQL injection method, the unpopular fixed radar system, mikkohypponen a security specialist has report a funny method to SQL inject services fingerprinting.
The concerned service is the HTTP service of www.reddit.comwebsite. Normally the HTTP service should return things like “Apache” or “ISS”, but here you can find a dedicated fingerprint.
SQL injection against fixed radar systems
SQL injection against services fingerprinting
Most of time, fingerprinting method are done with nmap like tools, and the results could be stored into a database. ERIPP is also well know to create a database of 4 Billion routable IP addresses with the associated most common services fingerprints. SHODAN is also a similar database type than ERIPP, how is a computer search engine permitting to find computers running certain software (HTTP, FTP, etc). Imagine that the crawler code has some sql injection flaw… oups your database has gone cause the fingerprint contains some sql injection code 🙂
For Reddit, we have search the “CREATE TABLE servertypes” on Google, and find one services fingerprinting crawler using a database called “servertypes” and targeting Reddit 🙂
banthar gist HTTP service fingerprinting crawler
Is Reddit protecting him self against information gathering or just an sysadmin funny joke.
