No matter how good an organization thinks its security posture is, it is impossible to be sure until they are attacked. Red teaming is a way of finding out, providing an adversarial simulation of a cyber-attack under real-world conditions.
Conducted over an extended period, the objective is to assess an entire organization’s resistance to compromise, including technology, people, and processes.
Unlike penetration testing, Red teaming assesses the performance of multiple domains, including networks, applications, employee resistance to social engineering and deception, physical and building security, and the capabilities of inhouse incident response.
Every OBRELA Labs Red teaming exercise is conducted within a predefined time window by a dedicated team of experts using tactical tradecraft and advanced exploitation methods.
The team features a wide range of accreditations including Offensive Security OSCP, CREST CPSA, CREST CRT and EC-Council CEH.
Since the effectiveness of Red teaming is dependent on the skills, experience and security intuition of the team conducting it, OBRELA Labs with years of experience to call on, has acquired the extensive expertise in advanced adversary simulation which can be tailored to the requirements of a wide range of business sectors and exercise goals.
Penetration testing simulates real-world scenarios of cyber-attacks to an organisation’s network, systems, or applications and assesses their vulnerability to compromise. This is usually carried out from the point of view of an external Internet-based attacker or by simulating a malicious insider.
As with a real attack, penetration tests begin with reconnaissance while scanning for specific vulnerabilities or oversights in systems’ configuration. If access is attained, the tester attempts to move laterally to gain access to other resources as well. Once the agreed goal of the test has been reached, the tester documents each stage of the exercise and any weaknesses uncovered.
Today’s networks and systems are an order of magnitude more complex than they were even a few years ago, which means that defending them has become hugely uncertain. Even the best-resourced organisations can’t see or anticipate every vulnerability. Penetration tests give clients a wealth of insights into where weaknesses lie, allowing fixes and countermeasures to be put in place before real attackers discover and exploit them. The test report delivered at the end of this process provides a critical baseline for the management of risk, including which fixes should be given a high priority. This helps organisations understand how they should plan security investments going forward.
A misconception is that only poorly managed systems and networks have vulnerabilities. In fact, systems and networks are so diverse and complex that can inherently suffer from different types of weaknesses. Even among carefully secured infrastructures, the dynamic nature of modern environments means that new vulnerabilities can appear at any moment. Because, simple oversights can have severe repercussions, what matters is to spot them before the adversaries do.
OBRELA Labs has a proven track record among customers with complex environments such as, but not limited to, financial services and banking, telecommunication providers, maritime (shore and vessel), healthcare, critical infrastructure, online retailers, insurance. Our penetration tests are carefully tailored to simulate scenarios that assume different attacker’s standpoints and levels of knowledge regarding the target.
The testing approach is goal oriented and aims to demonstrate the maximum impact of a successful cyber attack that could allow a third party to obtain unauthorized access to the data served by the target systems or applications.
The penetration testing is conducted using industry-leading tools and manual penetration testing techniques that aim to identify and exploit both known and unknown software flaws, misconfigurations and operational/control weaknesses while focusing on an in-depth coverage.
Obrela Labs’ penetration testers hold a range of accreditations, including Offensive Security OSCP, CREST CPSA, CREST CRT and EC-Council CEH.
The Security Operations Center of Obrela Security Industries want to keep our customers continuously updated of the attack and provide threats mitigation and prevention guidance. SOC has increased its readiness and verbosity over anomalies in SMB traffic, communication to list of suspicious IP addresses and domains, and more.
The ransomware infection is originally initiated by visiting compromised websites.
As such, (a) it requires user interaction asking the user to visit the compromised web site, (b) then it is redirected to 1dnscontrol[.]com, (c) in order to download a fake Flash update (install_flash_player.exe).
This executable file (630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da) is the dropper for the malware that infects the target Workstation (the actual malware).
The resulting malware can propagate via SMB, having many similarities to the Petya/Nyetya attack.
It also utilizes a version of mimikatz security tool in order to steal credentials and use them to propagate to other hosts (sim. Nyetya).
Once a windows computer is infected, it reboots the computer, encrypts the hard drive’s master file table (MFT) and replaces the computer’s MBR with its own malicious code to show the ransomware note upon reboot. The encryption of the files is performed by DiskCryptor to do a full drive encryption. Keys are generated and protected by RSA 2048 public key.
As result of this attack, the computer is locked and shows a random note asking victims to pay a bitcoin amount to allow getting control back of their systems.
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da (Dropper)
8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 C:\Windows\dispci.exe (diskcryptor client)
682ADCB55FE4649F7B22505A54A9DBC454B4090FC2BB84AF7DB5B0908F3B7806 C:\Windows\cscc.dat (x32 diskcryptor drv)
0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6 C:\Windows\cscc.dat (x64 diskcryptor drv)
579FD8A0385482FB4C789561A30B09F25671E86422F40EF5CCA2036B28F99648 C:\Windows\infpub.dat
2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035 (mimikatz-like x86)
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c (mimikat-like x64)
viserion_
rhaegal
drogon
1dnscontrol[.]com
/flash_install.php
185.149.120[.]3
Argumentiru[.]com
Fontanka[.]ru
Adblibri[.]ro
Spbvoditel[.]ru
Grupovo[.]bg
www.sinematurk[.]com
caforssztxqzf2nm[.]onion
Operating system (OS) command injection attack is a variant of code injection attacks which are considered a major security threat that in fact, is classified as No. 1 on the 2013 OWASP top ten web security risks [1]. There are many types of code injection attacks including:
OS command injection attacks may occur in applications that accept user provided input and execute OS commands using as parameters the received input. They have been discovered in web applications hosted in web servers (Windows or Linux) as well as in web-based management interfaces of networking devices, such as home/office routers, IP cameras, IP PBX applications and network printers. Moreover, command injection vulnerabilities can be found in IoT devices. However, the injected OS commands are usually executed with the same permissions that the application possesses (i.e. root). OS command injection attacks are possible in most cases due to lack of correct input data validation, which can be manipulated by the attacker (web forms, cookies, HTTP headers etc.)
Due to the fact that there are not many tools to automate the process of detecting and exploiting command injection vulnerabilities, in this blog post Commix tool will be used. Commix (a short for [COMM]and [I]njection e[X]ploiter) is an automated tool aiming to facilitate web developers, penetration testers and security researchers to test web applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. It is important to note that the module is capable of performing command injection not only in the HTTP GET / POST parameters, but also in HTTP parameters, such as HTTP cookie, HTTP user-agent and referrer header values. The tool is written in Python (version 2.6. or 2.7) and runs in both Unix/Linux and Windows operating systems. Commix is free to download through the GitHub repository [7]. It is worth mentioning that Commix comes preinstalled in many security-oriented OS’s including the well-known Kali Linux [8], while its capabilities have been presented in the BlackHat Europe 2015 Security Conference (Netherlands, Amsterdam) [9].
The main objective of this article is to examine the detection and exploitation capabilities of Commix against blacklisting techniques. The general idea behind blacklisting is to check for malicious patterns before allowing the execution of users input. More specifically, in the case of OS command injection attack, a blacklist can strip out from the users’ input all “suspicious” characters (i.e. “;”,”|”,”&”, etc.). However, a basic disadvantage of blacklisting, which greatly limits its effectiveness, is that the attacker can discover a variation of the command injection attack vectors not included in the blacklist and, hence, he can launch the attack successfully. In order to be able to get a reliable sample of checks against the most common blacklisting techniques, the Damn Vulnerable Web Application (DVWA) v1.10 [10] was installed on a Debian Linux (3.16.0-4) operating system. DVWA is a free, open source PHP/MySQL web application that supports four different security levels, low, medium, high or impossible. The security level changes the vulnerability level of DVWA:
DVWA also comes with an outdated (v0.6) Web Application Firewall (WAF) called PHPIDS. PHPIDS (PHP-Intrusion Detection System) [11] is a security layer for PHP based web applications. PHPIDS works by filtering any user’s supplied input against a blacklist of potentially malicious code. It is used in DVWA to serve as a live example of how WAFs can help improve security and in some cases how WAFs can be circumvented. At this point it is worth noting that during this research, the latest stable version (v0.7) [12] of PHPIDS was installed in DVWA.
All the experiments were mainly conducted in two separate rounds of checks:
It is summarized below, the detection and exploitation results of the first and the second round of security checks that were conducted against the vulnerable “ip” POST parameter of “/vulnerabilities/exec/” in DVWA against all* supported security levels (from Low to Impossible).
* On both rounds of security checks, in the “Impossible” security level, Commix did not detect any vulnerability (as expected) because this level is not meant to be exploitable.
| RESULTS-BASED | TIME-BASED | FILE-BASED | TEMPFILE-BASED | |
| LOW | PASSED | PASSED | PASSED | PASSED |
| MEDIUM | PASSED | PASSED | PASSED | PASSED |
| HIGH | FAILED | FAILED | PASSED | FAILED |
| IMPOSSIBLE | FAILED | FAILED | FAILED | FAILED |
Table 1: Succeeded command injection attacks with PHPIDS disabled.
| RESULTS-BASED | TIME-BASED | FILE-BASED | TEMPFILE-BASED | |
| LOW | PASSED | FAILED | PASSED | FAILED |
| MEDIUM | PASSED | FAILED | PASSED | FAILED |
| HIGH | FAILED | FAILED | PASSED | FAILED |
| IMPOSSIBLE | FAILED | FAILED | FAILED | FAILED |
Table 2: Succeeded command injection attacks with the PHPIDS enabled.
Lastly it is worth mentioning that, even though the remote command execution protection filter that is used by the PHPIDS v0.7 to prevent remote OS command injection attacks seems quite weak (on this we will refer later) specific characters (i.e “$”, “{“,”}”,”))” etc) which are used in most payloads were detected. After further analysis on that issue it was identified that this happens due to overlays by other irrelevant WAF filters. In order to circumvent this restriction the “–backticks” switch (which uses the backtick (`) instead of the “$()” for command substitution [13]) was used.
As it has been already mentioned, PHPIDS 0.7 does not protect against OS command injection attacks. The filter that is used for protection against this type of attacks is included in the “default_filter.json” and “default_filter.xml” files. More specifically the filter with id “74” checks only for attempts to execute OS commands, such “ping -n 3 127.0.0.1 ”, ping localhost -n 3” etc as presented below:
ping(.*)[\-(.*)\w|\w(.*)\-]Moreover, we came to the point to suggest an additional regular expression for the aforementioned filter in such way all the attempted payloads have failed due to all the symbols used for OS command injection attacks are now being detected and blocked by the newly proposed filter:
(?:[^|;|&|\||\<|\>|`|\$|\(|\)|\{|\}]\W*?\b)Finally, the Table 3 below represents all the failed attempts to detect and exploit OS command injection vulnerabilities against the vulnerable “ip” POST parameter of “vulnerabilities/exec/”, after the new rule has been added.
| RESULTS-BASED | TIME-BASED | FILE-BASED | TEMPFILE-BASED | |
| LOW | FAILED | FAILED | FAILED | FAILED |
| MEDIUM | FAILED | FAILED | FAILED | FAILED |
| HIGH | FAILED | FAILED | FAILED | FAILED |
| IMPOSSIBLE | FAILED | FAILED | FAILED | FAILED |
Table 3: Failed command injection attacks after PHPIDS updated filter
Concluding all the above, this article was mainly focused on the weak blacklisting features, as provided by all security levels of DVWA, combined with the latest stable version of the PHPIDS WAF. Once it was identified that Commix was able to bypass the weak blacklisting filters on each security level (i.e. Low, Medium, and High) with the presence of the latest stable PHPIDS WAF, a new rule (that successfully blocks all the exploitation attempts) was proposed.
[1] https://www.owasp.org/index.php/Code_Injection
[2] https://www.owasp.org/index.php/SQL_Injection
[3] https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
[4] https://www.owasp.org/index.php/Command_Injection
[5] https://www.owasp.org/index.php/XPATH_Injection
[6] https://www.owasp.org/index.php/LDAP_injection
[7] https://github.com/commixproject/commix
[8] https://tools.kali.org/exploitation-tools/commix
[9] https://www.blackhat.com/docs/eu-15/materials/eu-15-Stasinopoulos-Commix-Detecting-And-Exploiting-Command-Injection-Flaws.pdf
[10] https://github.com/ethicalhack3r/DVWA
[11] https://github.com/PHPIDS/PHPIDS
[12] https://github.com/PHPIDS/PHPIDS/releases/tag/0.7
[13] http://tldp.org/LDP/abs/html/commandsub.html