My team and I designed and implemented a web server using Linux, Apache, MySQL, and PHP along with Prestashop which is an open source web storefront. We then used a variety of penetration tools to uncover vulnerabilities in the software and implement patches or fixes and continued adding features as part of continuous development of the platform and subsequently performing vulnerability testing on the new features rolled out.
5. Security Auditing Tool: Nessus
Nessus allows scans for the following types of vulnerabilities:
Vulnerabilities that allow a remote hacker to control or access sensitive
data on a system.
Misconfiguration (e.g. open mail relay, missing patches, etc.).
Default passwords, a few common passwords, and blank/absent
passwords on some system accounts. Nessus can also call Hydra (an
external tool) to launch a dictionary attack.
Denials of service against the TCP/IP stack by using malformed packets
Preparation for PCI DSS audits
5
6. Break It: Nessus Vulnerability Scanning
Results from Scans
No Critical or High Results
Most significant result
was SSH Weak Algorithms
Supported
Some leads
HTTPS not being used
6
12. Break It: Social Engineering 12
• Email used to setup
Prestashop advertised as web
administrator account.
13. Fix It: Social Engineering
Train Employees to recognize social engineering attacks
Ensure email is a business email and is separate from personal
emails
i.e. help@business.com
13
14. Break It: Brute force Password Attack 14
• Tool used hydra
• Used known User ID
against list of common
passwords
• 3.55 tries per second=213
tries per minute
16. Break It Tool: hping3
hping3 is a network tool able to send custom TCP/IP packets and to display
target replies like ping program does with ICMP replies. hping3 handle
fragmentation, arbitrary packets body and size and can be used in order to
transfer files encapsulated under supported protocols.
16
21. Roadblocks
Difficulty setting up the server
Poor to non-existent install documentation online
Difficulty scanning the server
Initial scans were limited to minor vulnerabilities
Some hardware limitations
Hardware managed by Cyber Lab IT
21
22. Future Plans
Additional rounds of Attacking and patching the
shop
Implement the database
Certify the server
22
We're the build it, break it, fix it team. We designed and implemented a webserver with an online shopping cart with free software and ran tests with a variety of tools to uncover vulnerabilities or bugs that could be exploited by hackers and implement patches or fixes for those exploits.
For the shop we chose the software Prestashop because of its claims to being open source and PCI Compliant.
The shop runs on top of Apache 2.4.7 which was installed from the Ubuntu Repositories.
We used Ubuntu 14 as it is still supported until 2019
All the software is running on Dell PowerEdge R730 Rack Servers here in the cyber lab.
-Nessus categorizes results in 5 groups: Critical, High, Medium, and Low
-Most significant result was SSH Weak Algorithms Supported:
-The remote SSH server is configured to allow weak encryption algorithms or no algorithm at all.
-Nessus has detected that the remote SSH server is configured to use the Arcfour stream cipher or no cipher at all. RFC 4253 advises against using Arcfour due to an issue with weak keys.
https://threatpost.com/attack-exploits-weakness-rc4-cipher-decrypt-user-sessions-031413/77628/
-Some leads:Site using port 80 rather than port 443 which meant it was using the insecure HTTP protocol rather than HTTPS for user session.
Allow web team to access help@business.com email address.
To test password security we used the tool hydra which automates the process of password attempts
In our example we know a valid user id and use a list of common passwords to find a match.
Our list of common passwords was small as to come up with a positive result within a few seconds.
Dell OptiPlex 7010
3.55 tries per second=213 tries per minute
For fixes we first checked Prestashop settings but didn't find anything that would either force password complexity or prevent excessive login attempts.
In the Prestashop modules page one can purchase a re Captcha module that will significantly prevent bots from creating fake accounts
To test network capacity we used the tool hping to send TCP/IP packets to the server to simulate a DDOS attack as well as aguge the capability of the server under severe network strain.
We utilized three Dell Optiplex 7010 desktop computers running the hping command. A forth computer recorded the test using wireshark to capture the packets being sent.
~3300 packets over 200 seconds over 3 computers
23.66 packets per second per computer.
One potential fix for a DDOS or SYN flood attack is to create what's known as a chain in iptables which is the default firewall in Ubuntu.
We create a custom chain called syn-flood and using the data captured earlier create a rule that ignores SYN requests from the same IP addresses if they exceed a certain limit.
Upon implementing the fix we performed another test where we discovered we were preventing access to the internet in addition to our server which meant we were overloading the switch or router that provides internet access to the lab. Because of this we weren't able to log-in remotely to the server to see if the fix was working.
Setting up Prestashop took longer than expected due to the fact it has a large list of dependencies that are not installed along with it. The Prestashop website has install documentation that only covers installing their software and not all the dependencies.
Since the hardware was managed by the Cyber Lab IT we didn't have much control over the hardware design of the server or the network connection of the server. Time was spent determining the architecture of the Cyber Lab when we weren't getting the results expected during our initial scans and during the DDOS attack.