www.chmag.

in

May 2013 | Page - 1

www.chmag.in

May 2013 | Page - 2

Fighting the
Advanced Threats
Knowing how to manage incidents is a
critical element for every security
environment.
The incident analysis begins with the
forensic and terminates with the report
given to the Incident Manager.
The
task
involves
digital
forensic
investigators, malware analysts and network
operators.
Only through the evaluation of the network
streams and the identification of the way the
attacker has infected the systems and has
sprung in the network or has exfiltrated
information it is possible to understand
what the cybercriminals were up to.

to the victim, her organization and her

security capability, but is also strongly
bounded to the type of attack and the
organization behind the attack itself.
It is extremely complex today to bring the
parties responsible for the incident to
justice.
But lets look at some examples.

The malware wail

It is a Thursday morning of an incoming
sunny weekend, the online ticket office of a
big transportation company is already full of
users that are booking their weekend
travels.
In just a few moments the website of the
ticket office starts to slow down and
increase its memory consumption.

Some
organizations
(Mandiant,
for
example) has written and developed a set of
indicators that could help in deriving the
basic information of every compromise in
order to locate malicious artifacts
throughout the organizations.

The monitoring stations begin to alarm the

internal personnel about a weird behavior
from the front-end of the online ticket
platforms.In about twenty minutes, despite
the attempt to modify the load balancers
and the responsiveness of the Front-End,
the online ticket office is blocked.

However, for my experience as Incident

Response Team Leader, the process is
always more complex and strongly related

The Security personnel, alerted about the

situation, tries to analyse if the firewall or
the Intrusion Prevention Systems have

www.chmag.in

May 2013 | Page - 3

noticed something strange, but just to

understand if the problem is securityrelated the operators should copy the log of
the last hour and start to dissect every
possible connection a three hour job to say
at least.

have not spent money through Credit Card

in other online services.

In the meanwhile, the Network personnel is

looking to the configuration of the load
balancers and the systems and has already
confirmed
that
there
is
nothing
extraordinary, except for the slowness of the
Front-End.

The Security Manager asks the Computer

Emergency Response Team to start a deep
analysis, despite the Company Management
continues to think that the problem is
related to the Service Provider.

The Company ICT managers, looking to

resolve the issue as quick as possible, ask
the Network Operators and the Security
Operators to limit the inspection and
security measures on the front-end to a
minimum but the problem persists,
despite a little improvement on the
responsiveness of the whole platform.
So the Company asks the Service Provider if
it has done something during the latest 48
hours, but the Internet Service Provider
does not answer quickly to the request
attempting to get more time to evaluate the
situation.
Unfortunately, by limiting the inspection
and the controls over the incoming traffic,
the Company has done what the attackers
were looking to and so they start their real
attack against the Back-End of the Ticket
office
Three days later, with the online platforms
still showing a series of problems and weird
behaviours, some users complaint that their
credit card codes have been stolen by
unknown cybercriminals after being used in
the online ticket office.

The number of complaints increases to

more than 300 in about six hours, too much
for being just a coincidence.

The Incident Response Team Leader divides

the engagement in two different tasks:

Front-End Systems analysis

Back-End Systems analysis

In about three hours, looking to Front-End

traffic streams, the Network specialist of the
CERT Team identifies a strange and
repeated series of connections from a small
group of IP addresses originates from Seoul
(South Korea).
The streams are apparently correct
sequence of HTTP and HTTPS traffic, but
instead of requesting simple access on web
pages (through the load balancers); the
connections are requesting a lot of data
from the web forms of the ticket office.
Meanwhile, the Back-End Team has
discovered that the Database of the public
infrastructure,
despite
the
correct
segmentation behind a two-tier model of the
communication flows with the Front-End,
appears overwhelmed by several processes
originated from the Front-End.
These processes are, apparently, normal
requests with a high series of Database
operations in their payload.

They have booked in the last seven days a

ticket from the transportation company, but
www.chmag.in

May 2013 | Page - 4

In fact, the Back-End Team, by comparing

the average CPU and Memory consumption
of the previous month with the CPU and
Memory consumption of the latest five days
identifies important discrepancies.

Basically in the latest four days the CPU and

Memory resources occupied by processes on
the Back-End have growth from a 20% to
more than 60% on a daily basis with peak of
80% in many occasions.

By comparing the data collected from both

teams the CERT is now able to identify what
is really going on: a Slow Loris DDoS attack.
But this does not explain the stolen Credit
Cards

www.chmag.in

May 2013 | Page - 5

It takes the following 40 hours of

comparative analysis on the Firewall, IPS
and Internal network streams to identify the
second part of the attack.
Exploiting the lower subset of defence
enforced after the first wave of the Slow
Loris Attack, the Cybercriminals have used
an already compromised internal computer
(a laptop) with a custom backdoor (a variant
of Cybergate RAT) operating through a
chained Company unauthorized proxy (on
TCP port 3128) to access the Back-End and,
through the Internal Credential of the
laptop owner, they have dumped the
Database and slowly transferred its tables to
a public dropzone through Http streams.
The Incident Response report, a 150 pages
book, is an example of street-level tools well
exploited by cybercriminals.
The Blackhats behind the attack have not
been identified, but at least, the economic
impact of the fraud has been limited and the
users have been refunded

www.chmag.in

Another teeny-weeny malware

case
A big oil Company has shared some
strategic plans with one of its subcontractor
operating in emerging markets about a new
set of oil rigs licenses they are planning to
collect from the local National Company
after two years of intense political initiative.
The subcontractor has been informed
because it has the essential knowledge to
help the Company design and setup the rigs.
The subcontractor has signed a very tight
Non-Disclosure Agreement for the case, but
he works with the Oil Company from more
than a decade; no doubt about his
trustfulness.
However, two days before the agreement
will be closed; the subcontractor internal
network records a strange set of
performance hiccups, especially in the
Restricted File Servers located in the Server
Farm in his Headquarter. The problems are
related to unresponsiveness and poor
performance in I/O operation during the
night backups, enough to fire the SNMP

May 2013 | Page - 6

Monitoring Station for about forty times in

two hours.
The Sys Admin of the Servers checks the
logs, the processes and the resources
available and found nothing. Nevertheless,
to ensure a proper monitoring of the entire
situation he activates a subset of monitoring
processes through his credentials by
manually starting them on both the file
servers.
He is unsure if the problem was originated
by a failed update procedure for one of the
latest patches distributed by the local patch
management system.
Also he call the Net Admin telling about the
strange behaviour of the File Servers and
asking if the network guys have modified
something in the latest three to five days.
The Net Admin denies any modification and
assures the Sys Admin that he would
investigate further. In fact the Net Admin
immediately checks the local network and
routers and founds nothing. The intranet is
strictly regulated by a static routing without
complex rules and all seems to be under
normal operative conditions.
The ICT Manager, informed by the
personnel about the weirdness call the
Security
Manager
asking
for
his
cooperation.
The Security personnel, informed of the
incidents, contacts the Sys Admin and the
Net Admin and does not carry out further
investigations concluding that the issue is
bounded to patch misconfiguration errors.
No more analysis will be made for the day.
When the day of the agreement arrives the
Oil Company receives a call from its
representatives. Something has changed the
mind of the local Government. The license

www.chmag.in

will not be issued that day and probably the

drilling permits will be granted only through
a public auction.
All the efforts to achieve the permission
early and privately were sunk and a complex
negotiation is about to begin. But what has
changed the mind of the Minister out of the
blue?
Late, the same day, the representatives call
the Company again to inform that the
licenses will be given, the next day, to their
biggest competitor without auction. The
Prime Minister himself has awarded the
competitor the license of extraction.
The Company calls immediately the
subcontractor. The agreement was known
only by a restricted number of individuals of
both Companies and just few big local
political figures. How the competitor has
been so brave and capable to beat them in
just few days without notice?
The Subcontractor managers swear that
they have not given the information to
others and that their plans have been
preserved in the most secure location in
their Company.
The next day, the friendly faces in the
entourage of the local Prime Minister, tell
the Company representatives that few days
ago the Prime Minister has been contacted
by their competitor and that something has
happened because the Prime Minister
himself has then met the Ministry of the
Environment and the Ministry of Industry
about the oil rig concessions.
Also they told that the competitor has made
an offer slightly better than the original one
made by their Company, but fair enough to
convince the Prime Minister

May 2013 | Page - 7

A week later, the Sys Admin of the

Subcontractor, during a routine cleaning of
local logs discovers a scary set of entries in
the SQL Database Event Logs.
The first weird log is about an access with
Backup Operator at about 9:00 PM ten days
ago. Weird because the Backup Operator is
a Bot that is always started at 2:00 AM and
is linked to Backup processes carried out at
night.
But the scariest logs are a set of
unsuccessful login attempts made from SQL
Admin account between 9 PM and 5 AM the
same night.

In fact by correlating the Event with

Domain pre-authentication failed message,
a set of login attempts were discovered by
the Admin in about five servers of the
Restricted Area.

www.chmag.in

The domain controller logs record a long

strip of code 675 events in the Event Log:
Pre-authentication failed:
User Name: SQLAdmin
User ID: DCDomain\SQLAdmin
Service Name: krbtgt/DCDomain
Pre-Authentication Type: 0x2
Failure Code: 24
Client Address: 192.168.2.174

These records contain the username and IP

address of a workstation normally used by
several users to manage backup and restore
of data in the Restricted Area.

Immediately the Sys Admin calls the

Security Team and forwards them all the
logs explaining the situation.
Three days and lots of coffees later the
Security Manager arrange a meeting with
the board to show what his team as
discovered: basically they have been target

May 2013 | Page - 8

of an attack made by some pros out there.

The attackers have used several bulletproof
VPS to jump in their network and stole their
classified data.
The reason they have not being able to
identify the attack has been due to several
reasons.
Basically they have been compromised by a
vulnerable laptop used by the Network
Team to patch or manage theirs system via
serial console connection. In fact the laptop,
an old Windows 2000 Workstation, was
used by the team because it was the only
laptop with a native serial (COM) interface.
The laptop has been directly attacked when
it has been left turned on and directly
connected through internet during the
weekend two weeks earlier after a scheduled
maintenance.
The attackers have exploited the system and
then have left a keylogger (Dracula Logger)
inside the machine in persistence mode.
Through this action they have collected the

www.chmag.in

account of a couple of Network Operator

Domain account, useful to access the
Restricted Area of the Data Center.
Also they have jumped to the Maintenance
Workstation, a Windows XP SP3 machine
used by Network and Backup Operators.
With some Domain Accounts in their hands
the attackers have tried to force the access
to the File Servers and the SQL Databases,
but initially they have not succeeded.
So they have tried to copy some instances of
the SQL Database, thus generating network
issues, but basically without result,
considering that the SQL Database was
encrypted.
The real problem has been the capture of
the Sys Admin credentials when he has
started the additional monitoring tools
through the Maintenance Workstation.
Through this part of the puzzle they have
been finally able to steal files and private
data.

May 2013 | Page - 9

The Security Manager concludes that they

have relied too much on looking to Network
logs and Firewalls to enforce Security. In
fact nothing has been recorded by their IDS
during the SQL bruteforce attack because
the encryption of login packets for Database
login has created a network blackhole
making them unable to track user
credentials when applications authenticate
through IDS Systems.
The meeting ends with the resignation of
the Security Manager.

What to do?

these tools instead of custom version of

other advanced tools.
However, what I think we should do is
enforce a relatively complex Security
strategy that should force the attacker to
play by ear, to improvise.
Normally attacks like the ones Ive told you
are made by patient and skilled people, but
even to the most skilled blackhat the worst
scenario is the one where he should act
without a proper plan, without a strategy
that makes him comfortable. The risk is to
be caught, or at least to lose money and time
by alarming the victim.

How to catch the attacks that Ive depicted?

But how we can force the attacker to play on

our turf?

There is a lot to do to improve our general

responsiveness against what the market call
Advanced Persistent Threats (APT). To be
honest I dont like the name APT is too
generic and misses the real capabilities that
marks attacks like the ones Ive shown
earlier.

In my opinion there are several ways, the

most important is the Company awareness
and readiness, in a word, to have a
Computer Emergency Response Team that
really works.

I prefer the name: Advanced Attack

Patterns, because the attackers use specific
strategies and because quite often they dont
want to stay persistent, to reside in the
victim network. Instead they adopt subtle
strategies that rely on multiple stages. They
dont want to remain in the target network
more than they need.
This means that the adoption of Exploit
Kits, Trojans and Keyloggers is defined in
complex canvas where is up to the attacker
to choose a tool instead of another.
This does not mean that Exploit Kits or
Trojans are not a weapon of choice in such
attacks, but they are chosen only if the
target could be reasonably exploited by

www.chmag.in

Enforce a verification lifecycle

In both cases that Ive described the lack of
knowledge or the inappropriate adoption of
Security procedures have given to the
attacker the chance to fulfill his goals, to
steal restricted or private data.
In my opinion, the critical events are
normally generated by a dangerous mix of
attacking skill and inaccurate reaction. In
fact, often the reaction to some minor
incidents that could be seen as a prologue of
the real attack, is carried out in an
incoherent way underestimating the real
threat.
Sometimes instead, by not correlating the
events, the Security or Network operators

May 2013 | Page - 10

do not see the attack and their reactions

generate more entropy, making the
subsequent analysis extremely hard.
All this means that a proper lifecycle of
testing should be put in place not only for
evaluating the technologies and the
infrastructures, normally tasks carried out
by
Vulnerability
Assessments
and
Penetration tests, but also for checking the
procedures, the awareness and the
readiness of the Company personnel.
In my experience, by testing the Company
with a simulation of an ICT incident once in
a while, ensure an improved level of
reactiveness not only for the Security teams,
but for the entire Company.
But the management of incident tests and
the readiness of the entire Company should
pass in the hands of the Incident Response
Team, the internal structure that should
play a role during critical situations.

More space and responsibilities

to the Incident Response team
In a world where the DDoS could be
arranged and carried out in just few minutes
or a computer could fall victim of a drive-by
download in just few seconds, to be ready to
face malicious threats is an imperative goal
of every mid to large Company.
And today the readiness could not be ensure
just with technology. It is essential to have
at least a small but skilled internal team of
Security experts that could be triggered
when problems arise.
In my experience this is invaluable.

www.chmag.in

Rest to note, that the Team should be made

responsible for the action taken during the
incident situation. In the same time, space
should be given to it, in terms of operational
freedom and availability of proper
communication channels with all the other
internal and external structures.
In fact, it is extremely important to have a
direct link with all Company Third-Party
ICT providers and to ensure the highest
operational capabilities.
A very good paper about the subject can be
downloaded here:
http://www.cert.org/archive/pdf/07tr008.p
df

More capabilities for Incident

Response
To give the Incident Response more
operational capabilities, a proper set of
procedures and toolkits should be made
available.
For my experience the procedures should be
highly customized for the environment,
because each Company has her own set of
rules and policies.
Instead, speaking about technology and
toolkits, they could be divided in three
areas:
-

Early Warning tools

Inspection tools
Mitigation tools

The Early Warning means all the

operational awareness that every IRT
should keep constantly updated.

May 2013 | Page - 11

This means to follow the Security

Information flows based on online news,
exploit updates, malware analysis and early
warning systems. In this field my team, for
example, has developed a platform, called
Sybil, that collects and checks several
potential attack patterns, via honeypots and
sandboxes and could inform the IRT about
newest threats or massive diffusion of
malware campaigns.

console, but also tools that could be used to

quarantine an environment.

The Inspection Tools are forensic, system

and network analysis tools useful during the
incident. They could be divided in two
groups: Centralized tools and Field kits.

As you can see Ive not specified tools and

technologies because it is up to the single
team to define its preferred choices.

In Centralized tools category fall the Log

inspectors, the correlators, the SIEM and
the monitoring tools; even the Antivirus
Console could be considered in this field.
However, one invaluable tool in the
Centralized category is the Sandbox
environment. By studying the behaviour of a
malware in a sandbox environment the
team could understand the strategy adopted
by the attacker or, at least, identify the
modification introduced to the victim
system by the malware and plan a set of
corrective measures.
Instead Field Kits are a set of Linux distro,
such as CAINE or DEFT Linux that are
invaluable in Forensic investigations. Some
Field Kits are prepared on Windows
Systems and include FTK or Encase
applications, but such kits are really
expensive and not always the money means
value and capability, in my opinion.
Nevertheless, to have such tools could be
very useful, especially when the victims are
smartphones or tablets.
Mitigation Tools are related to reaction
capabilities, for example IPS or Firewall

www.chmag.in

This category, however, is the more strictly

related to the specific environment and is
the one that should be ruled by very tight
and clear procedures in order to avoid
misunderstanding and errors during the
incident handling and the sanitization of
compromised systems.

My advice is just to push further the idea of

the Incident Response as a real focus of the
Security strategy of every corporate
environment.
Because, today, to lack a proper
management of potential threats means that
the Company is sitting on a time bomb and
uses the timer to synchronize its clocks

StefanoKorolevMaccaglia
stefano.maccaglia@gmail.com
Stefano is a Security expert with a long
streak of successful international project
behind him spanning from Infrastructural
Security to DWDM Optical Networking. Hes
leading Black Sun crew since its foundation
and is constantly involved, as a Chief
Research Officer, in cyberwarfare, malware
analysis and incident response.

May 2013 | Page - 12

Anatomy Of
Control Enviroment
Background
Information security leaders today are
under intense pressure, charged with
protecting their organization's Information
assets Information, customer data,
intellectual property etc. Most Chief
Information Security Officers (CISOs) are
now getting more attention from senior
executives than two years ago.
With
amendments in IT act in 2008 and
formation of rules by ministry of IT in 2011,
security has now become a compliance
requirement too. In addition a series of
high-profile hacking and data breaches has
helped industry leaders in convincing of the
key role that information security has to
play.
Rather than just reactively responding to
security incidents, the CISO's role is shifting
more proactively addressing security based
on holistic risk assessment. Although the
positive signs are encouraging, there are still
few concerns and issues that are being
ignored. Example:

www.chmag.in

1. Information
security
is
still
considered as CISOs accountability,
where as it need to be that of senior
management
where
CISO
is
facilitator
2. Many organizations still consider it
as
IT
security
rather
than
information security.
3. Most efforts are directed toward
compliance and certification. This
puts pressure on CISO/CIO for
implementing ISO 27001 standard.
(Since
the
rules
under
IT
(Amendment) act 2008 insist on
security standard like ISO27001 to
be implemented and must be
certified). This approach, though
helps
in
getting
security
certification, generally all efforts are
directed
towards
maintaining
certification rather than maturing
information security processes.
4. Security is treated as afterthought
process and hence for many projects
required for business, security
patched after completion rather than
embedding into design.
5. Security Governance is limited to
reviewing root-cause for incident
and problem management.

May 2013 | Page - 13

The existence of problems is may not be due

to ignorance of need of security, but the
need for integrating information security
processes with IT processes. The challenge
has been more difficult due to availability of
multiple framework/standards or absence
of it.
The objective of this article to
introduce how to mature information
security processes.

Current trends
The changing scenario of threats and
opportunities impacts the information
security processes and CISOs have to face
the challenges. Gartner has identified
various technology trends mainly in four
areas i.e. - CAMS (Cloud, Analytics and Big
Data, Mobile computing and Social Media).
These trends are inevitable for business to
adopt. The new era of crime that rides
technology revolution has created a the
need to build security around it without
compromising the benefits in order to
derive value for the business, is a challenge
for the security and assurance professionals.
On the external threat front the trends are
well past beyond traditional viruses and
script kiddies, who used to be happy by
disturbing Sunday afternoon siesta by
ringing doorbell and runaway. It is now a
professional world where targeted attacks
and advance persistent threat(APT) are here
to stay. Attackers (I do not see point in
calling them hackers anymore) use
multifaceted tools like hacking, social
engineering, zero-day attacks to gain access.
And once inside remain inside without
being detected. The objective is to gather the
information for various uses like terrorism,
killing competition, damaging reputation
etc.

www.chmag.in

The CISOs have accepted the fact that being

attacked is a question when and not if.
Attackers are now targeting all resources of
organizations mainly people rather than just
IT resources of organizations like websites,
applications, servers etc.

CISOs Dichotomy
On one hand, in order to provide assurance
to the management on security of
information, CISOs strive to implement
latest technologies like SIEM, IPC, Contents
filters, DLP,DRM, DAM but they also need
skilled human resources to effectively
manage these technologies.
On other hand, management does wish to
protect but want to know value derived by
the investment. Stakeholders are more
interested in cost-benefit analysis while
investing in security resources. The primary
job for CISOs, therefore, is selecting
appropriate control that will satisfy the costbenefit requirements.

Selection of Controls
A real technical CISO shall not be very
happy with constrain related to cost.
Whereas management trained person might
see value of constrain. The challenge is how
to do it? The answer is to conduct a Risk
Assessment
(in
simple
words
use
commonsense).
Risk assessment is a done in various ways
and there are multiple standards and
framework available. The idea is to evaluate
the likelihood of threat materializing, and if
materializes how much damage it can do?
e.g. A zero day virus attack might affect the
operations. The likelihood is high (i.e.
anytime or once every day) impact I also
May 2013 | Page - 14

high so combining these two factors and

converting them in notional monetary terms
shall provide a CISO a total impact due to
possible zero-day virus attack.

Although in theory it appears easy and

simple, in reality the challenges faced by
CISO while implementing information
security are enormous. Example:

Then CISO need to consider all possible

controls including technologies (e.g.
heuristic Anti-virus), monitoring, Desktop
controls, awareness trainings, skilled
human resources for monitoring etc. all
these control shall focus on reducing either
likelihood or impact or both associated with
threat. e.g. Smoke detector reduces the
impact by giving early warning to take
action to doze off fire, using fireproof
material and controlling inflammables shall
reduce the likelihood of fire.

1. Assessing risk is not routine practice

and hence many organizations still
stumble on risk management area.
2. When compliance is primary
requirement
for
information
security, process optimization and
governance mechanism is generally
absent.
3. There is possibility of disconnect
between linkage between enterprise
risk management and IT risk
management resulting in excess or
inadequate security controls.
4. The relation between control and
risk mitigation is not one-to-one and
simple but it generally ends in
many-to-many relationship.

The Balancing Act

The decision on control selection based on
outcome of risk assessment can take one or
more of four decisions, as depicted in
following diagram.

www.chmag.in

May 2013 | Page - 15

CISO need to practically identify and select

controls. It may not be possible to have tools
or automate all controls. And although there
are solutions available these are not
panacea, e.g. in case of advanced Persistent
threat (APT) attacker and his polymorphic
techniques, securing a complex network is a
human-intensive problem which cannot be
automated away because the agents are
merely the vehicles of the attackers, that are
dynamic, intelligent, and focused humans.

Summary
The changing technology and threat trends
are forcing organizations to concentrate on
new methods to ensure that information is
secure rather than combating the external
threats. It might require integrating
information security within in business and
thence IT operational processes using
enterprise-wide
risk
management
framework. Stakeholders, internal as well as
external, are interested not only in well
being but also in ensuring security of the
organizations.

Sunil Bakshi
bakshies@gmail.com

www.chmag.in

May 2013 | Page - 16

OWASP SKANDA
SSRF Exploitation
Framework
Is your server protected against port
scanning? The general answer will be Yes,
I have a firewall which restricts access to
internal servers from outside.
What if I tell you I can still scan the ports on
your server and your firewall wouldnt know
about it!
People usually think that it is not possible to
do a complete port scan on the web server
and other servers behind the firewall. This
article will make you think otherwise.
If the web application running on a server
has SSRF (Server Side Request Forgery)
vulnerability then it is possible to do port
scans on the devices behind the firewall.
Once you find a SSRF vulnerable server,
SKANDAcan do an automated scan for you
and provide you the status of the ports
present on that vulnerable server.
So what are we going to talk about in
this article?
In this article, the agenda is mainly, Cross
Site Port Attack. Cross Site Port Attack is a
type of SSRF vulnerability (@ONsec_lab,
http://lab.onsec.ru).Using this attack, Riyaz
Walikar (@riyazwalikar) was able to do a
port scan on the internal servers present in
www.chmag.in

Facebooks intranet. Similarly, he was able

to exploit this vulnerability on Google,
Apigee, StatMyWeb, Mozilla.org, Face.com,
Pinterest, Yahoo, Adobe Omniture and
several others. All together he was able to
earn a whopping $5k as bounties using this
one type of vulnerability. YES, it can fetch
you that much money!!
SSRF can help an attacker do port scan on
intranet and external Internet facing
servers, fingerprint internal network aware
services, perform banner grabbing, identify
web application frameworks, exploit
vulnerable programs, run code on reachable
machines,
exploit
web
application
vulnerabilities
listening
on
internal
networks, read local files using the file
protocol and much more.
First of all, lets see how NMAPs
works
NMAP uses raw IP packets in novel ways to
determine what hosts are available on the
network, what services (application name
and version) those hosts are offering, what
operating systems (and OS versions) they
are running, what type of packet
filters/firewalls are in use, and dozens of
other characteristics. In short, it uses
TCP/IP protocol to do a port scan and the
packets are sent from your machine which is
running the NMAP scan.
So firewalls designed to protect from port
scan are keeping a check on the ports and it
decides which port is supposed to respond

May 2013 | Page - 17

to any packet coming from a machine

outside of intranet.

How is SKANDAs port scan different

from normal scanning:

So is it possible to bypass these

firewalls? Cross Site Port Attack:

Other scanners use TCP protocols to scan a

particular server whereas SKANDA uses
HTTP requests to scan the ports.

Cross Site Port Attack

(XSPA) is a kind of SSRF
vulnerability.
An
application is vulnerable
to Cross Site Port
Attacks, if the application
processes user supplied
URLs and does not
verify/sanitize the backend response
received from remote servers before sending
it back to the client.
Port specific payloads are crafted by the
attacker and sent to the server. By analyzing
the errors or the time delays, in different
responses for different ports, the attacker
can figure out the status of the ports present
on the server. And while exploiting SSRF,
the attackers machine is not directly
interacting with the target server, the
vulnerable server is doing all the dirty work
for the attacker.
If a server has an application where proper
sanitization of the responses is not done and
is vulnerable to SSRF, the attacker can
insert port specific payloads and scan a
target machine using the vulnerable server.
Worse, instead of scanning some other
target machine the payloads can be crafted
which will be directed to the same
vulnerable server itself. In this case, the http
packets are sent from the server to the same
server and the application sends the
response to the attacker. By analyzing the
responses (response error/time delay), the
port status of the vulnerable server can be
determined.

www.chmag.in

With normal port scanners, the attackers

machine is scanning the ports of a server
whereas SKANDA makes the vulnerable
server scan its ports and provides you the
port status.
SKANDA some prior knowledge
As a pen tester, my goal is to secure my
server and check whether the web
applications running on my server are
vulnerable to SSRF or not. So the payloads
in SKANDA are designed such that they
attack the server itself, on which the
vulnerable web application is running.
In SKANDA, the ports are divided into three
states:

Closed: where the port is closed.

Open(Error Based): the port
status is determined based on the
error message received when
connecting to the port.
Open (Blind XSPA): The port
status is determined based on the
response time.

SKANDA How to Use

SKANDA is built as a module for IronWASP
and is bundled along with it. To use
SKANDA you must first start IronWASP,

May 2013 | Page - 18

configure your browser to use IronWASP as

the proxy and then browse to the target site.
This way IronWASP will collect all the site
information in its proxy logs.

Figure1 - Setting up IronWASP as proxy

Open up the target site which has a SSRF

vulnerable server. Browse through the
vulnerable web application flow, how it
should be ideally used by a general user. Ex:
I have a php test bed (running on apache)
which has the functionality to fetch an
image from the entered url and saves it
locally.

Figure2 - Recording the flow in IronWASP

proxy logs

Once you have completed the flow go to the

proxy logs and select that request and start
SKANDA.

As the module is run, two windows will

open up. On CLI and other, a GUI interface
which will require some details from you
before it starts scanning. (Do no close the

any window if you want to carry on with the

scan)
Below window will appear. SKANDA uses
this particular http request as the base
request to get the port status. If there is a
special case then you may change the

Figure 4 - Making change to the base request

request, otherwise click Next Step ->.

Figure 3 - Starting SKANDA from the logs

www.chmag.in

May 2013 | Page - 19

Now the next window

which opens up, asks
you to locate the
suspicious parameter
which
is
SSRF
vulnerable. In the
case of test bed used
by me, the vulnerable
parameter
is
in
request body named
as
url
(select
multiple parameters,
if more than one
parameter is SSRF
vulnerable).
Click
Next after you are
done.

Figure 6 - Command Line Interface

To start with the port scan, enter 1 and

submit. (We will come to the second
option(2) in a while.)
Now SKANDA will do the following before
starting to scan the ports:

Figure 5 - Select the vulnerable SSRF parameter

Since we are sending http requests,

depending on the web application the
request may require an active session.
So if you have created any session plugins
which you want to be used while scanning,
select it. And click Done.
Now the GUI will close and the CLI will
come into action.

www.chmag.in

Initial Diagnostics: The moment

you start the scan, SKANDA
sends the base request a few
number of times so that it checks
how the network is responding
and creates the best delay time
for you.

Once SKANDA is done diagnosing the

network, it will start port specific scan:

Among the parameters selected in the

base request (GUI selection), SKANDA
attacks the server parameter by
parameter.
For every parameter it sends payloads
targeted to all the ports.

May 2013 | Page - 20

It does a detailed
analysis of how the
responses
(error/time delay)
received
are
different from each
other, for different
payloads.
Accordingly
it
makes an informed
decision whether
the port is Closed,
Open
or
Open(Blind XSPA).
Initially SKANDA
scans for the predefined
list
of
important
ports
which are more
probable to be used by the servers, to
increase the chances of discovering an
open port quickly.

Once done with the list of important ports.

SKANDA tells you below details:

If there is an open port found

(Error
Based
XSPA/Blind
XSPA).
It gives you the list of ports
which are scanned till now.
Time taken to scan those ports.
Now after important ports are
scanned, it calculates the time
which will be taken if all the
ports are scanned, i.e., 1-65535.
If the user wish to stop, he can
press n and the scan will stop.
If the user enters any other key
and hit enter, it carries forward
the scan for all ports from 165535 (Figure 8).

www.chmag.in

Figure 8 - Scanning started from port 165535

Customized Scan
option 2 !):

(Remember

the

Now there are times where you dont want

to run the scan for all the ports, you want
specific port to be scanned. SKANDA is
customizable, you can enter the range of
ports you want to scan and you are good to
go.
Start SKANDA from the scratch and select
option 2.
Now you will asked to enter the port range
you want SKANDA to scan.

May 2013 | Page - 21

Figure 9 - Providing inputs for port specific scan

And SKANDA will attack those specific

ports only.
So, if you think your firewall is protecting
you, think again!
If you encounter a suspicious parameter in a
request, make sure you run SKANDA on it.
The current version of SKANDA (SSRF
Exploitation Framework v0.1) can do a port
scan. The future versions of SKANDA will
be able to discover hosts behind the firewall,
services running on those hosts and
exploiting them accordingly.

Jayesh Chauhan
jayesh.sngh@gmail.com
Jayesh is a Certified Ethical Hacker
with about 1.9 years of experience in
Application Security and testing. He is
an author of open source tools - CSRF
PoC Generator and SKANDA. Jayesh is
very enthusiastic about making
automated tools in order to make a Pen
Testers life easier.

Thank you all for reading.

Happy Scanning!!
Cheers!!

www.chmag.in

May 2013 | Page - 22

Watering Hole Attacks

In recent months, many readers became
familiar with the term "Watering Hole,"
used to describe an attack
implemented
to
infect
a
websites visitors. One could
describe it as a drive-by
exploit used to compromise
legitimate websites.

software is vulnerable to the exploit. Once

an internet user visits the page, a backdoor
trojan is installed on his computer:
One of the most interesting papers on the

This method of attack is not

new: its been observed since
2009, when civil society
organizations
were
compromised
with
this
technique, used as vector to
deliver 0-day exploits.
The technique is used very
effectively
to
selectively
compromise
a
targeted
audience, interested in the
specific content found on a
targeted website. Its interesting
- Watering Hole attack - The Elderwood Project
(Symantec)
to note that success of Watering Hole
depends on the capabilities of the
topic is the Elderwood Project, published
attacker to develop/produce zero-day
by Symantec Security.
It describes
exploits that affect a victims software.
monitoring the attacking group's activities
for the last three years, revealing the
Typically, the incidence of Water Hole
targeting of a large number of industries
attacks increases in conjunction with a new
from various sectors using a number of
drive-by exploit. The attackers inject the
zero-day exploits.
exploit onto page of website, recognizing the
high probability that it will be visited by
victims that will be infected only if their

www.chmag.in

May 2013 | Page - 23

The metaphor used in the document is very

comprehensive:
The concept of the attack is similar to a
predator waiting at a watering hole in a
desert. The predator knows that victims
will eventually have to come to the
watering hole, so rather than go hunting,
he waits for his victims to come to him.
Similarly, attackers find a Web site that
caters to a particular audience, which
includes the target the attackers are
interested in.
The principal advantage of the technique is
that attackers are able to infect a limited
audience representing the target of the
cyber operation. For this reason, the
difficulty to identify ongoing attacks
increases, while attackers analyze a minor
amount of data stolen from the victims to
gather information of interest.
Typically, the technique is adopted by statesponsored hackers in cyber espionage
campaigns, or by cyber criminals committed
to
researching
specific
information.
Watering Hole is not very profitable for the
criminal world because it does not aim to
attack the highest number of possible
victims, as happens with computer scams.
Due to the need to have a knowledge of
zero-day vulnerabilities, it is undoubtedly
more expensive in economic terms (think of
the purchase of zero-day exploits on the
black market) and in R&D (think of the
effort needed to develop an exploit).
Spear phishing or Watering Hole?
In a classic Spear Phishing offensive, the
attacker sends the victim an email with a
malware attached or containing link to a
compromised host serving malicious code.
As with Watering Hole, Spear Phishing is

www.chmag.in

used prevalently for targeted attacks, but

the success of the attack depends on the
recipients clicking the link or opening an
attachment.
Its easy to understand that there's a high
probability that a would-be victim will
discard the malicious email, even if the
malware eludes antivirus detection due to
the presence of a zero-day exploit. Watering
Hole allows to attacker to overcome this
difficulty compromising and infecting a
website potential victims are likely to visit.
However, the major efficiency of a Watering
Hole technique is that it requires much
more effort for attackers: to choose the
target website with care; to inspect it for
vulnerabilities and compromise it to install
the exploits.
Security experts are convinced that the
number of watering hole attacks is destined
to increase rapidly, due to the large
diffusion of exploits on the underground
market, as well as an increasing interest by
governments
in
committing
cyber
espionage.

Pierluigi Paganini
Pierluigi Paganini is a security
researcher for the InfoSec Institute, a
security
training
company
that
specializes in CEH training courses.

May 2013 | Page - 24