Sunday, June 30, 2013

SpiderFoot: Free open-source footprinting tool

"Footprinting" is the process of understanding as much as possible about a given target in order to perform a more complete security penetration test. Particularly for large networks, this can be a daunting task.
  
The main objective of SpiderFoot is to automate this process to the greatest extent possible, freeing up a penetration tester's time to focus their efforts on the security testing itself.
 
SpiderFoot is a free, open-source footprinting tool, enabling you to perform various scans against a given domain name in order to obtain information such as sub-domains, e-mail addresses, owned netblocks, web server versions and so on. The main objective of SpiderFoot is to automate the footprinting process to the greatest extent possible, freeing up a penetration tester's time to focus their efforts on the security testing itself.

Grab it from: http://www.spiderfoot.net/
New in this release, which is actually a complete re-write of the version from 2005(!): - Now runs on Windows as well as Linux, Solaris, *BSD (basically anything with Python should be fine)
  • Scans are even more configurable than before
  • All scan data stored locally in an SQLite database for querying, reporting and analysis - Many more scans/tests included (GeoIP, URL linkage, web technology, port scans...) - You can now easily extend functionality by writing your own modules in Python 
  • Completely new user interface, which is now entirely web-based
  • Configuration state is stored between runs
  • Scanning can be remotely controlled
I hope you find it useful, and if you have any suggestions/complaints, feel free to contact me.

Topera: Security tools for IPv6 - IPv6 analysis tool

What's Topera?

Topera is a new security tools for IPv6, with the particularity that their attacks can't be detected by Snort. Snort is the most known IDS/IPS and is widely used in many different critical environments. Some commercial tools (Juniper or Checkpoint ones) use it as detection engine also.

Mocking snort detection capabilities could suppose a high risk in some cases.
All the community is invited to test it in any environment and we would be thankful if you send us any feedback.

This tool was presented in the second edition of the Security Conference "Navaja Negra" (http://www.navajanegra.com) by Daniel Garcia a.k.a cr0hn (@ggdaniel) and Rafa Sanchez (@r_a_ff_a_e_ll_o ).

What's new?

New version of Topera (0.0.2) include these improvements:
  1. Slow HTTP attacks (Slowloris over IPv6).
  2. Improved TCP port scanner.

Why?

Our intention is to promote awareness of and show the security implications of IPv6.

How to use it?

Help

topera help image

List plugins:

# topera.py -L

Topera loris mode:

Run with default options:
# python topera.py -M topera_loris -t fe80:b100:::c408
Run specifing: destination port, delay between connections, and number os extensions headers:
# python topera.py -M topera_loris -t fe80:b100:::c408 \
--dport 8080 --delay 0 --headers-num 0 -vvv

Topera in TCP port scanner mode:

Run with default options:
# python topera.py -M topera_tcp_scan -t fe80:b100:::c408
Run specifing: ports to scan, delay between connections, and number os extensions headers:
# python topera.py -M topera_tcp_scan -t fe80:b100:::c408 \
-p 21,22,23,80,8080 --scan-delay 0 --headers-num 0 -vvv

Video


Download @ http://toperaproject.github.io/topera/

Contact

You can contact with us at this mail: topera.project@iniqua.com.

GreHack 2013 - CFP EXTENDED TO JULY,16 - Conf: Nov. 15, Grenoble, France

From: "F. Duchene"
Date: Sun, 30 Jun 2013 10:32:20 +0200


--------------------------------------------------------------------------------

If you have security research to submit, please note that the CFP Submission deadline for GreHack'13 has been EXTENDED to *JULY 16*.

---------------------------
*GreHack 2013* — Call For Papers - EXTENDED SUBMISSION DEADLINE: JULY 16 Event: November 15, Grenoble, France http://grehack.org — Twitter: @grehack
---------------------------

*Topics*

The 2nd International Symposium on Grey-Hat Hacking — aka GreHack 2013

— will gather researchers and practitioners from academia, industry, and government to discuss new advances in computer and information security research.

All topics related to vulnerability discovery are within scope. In addition, topics of interest also include but are not limited to:
 - Reverse Engineering and Obfuscation
 - Vulnerability Discovery, Analysis and Exploit Automation
 - Embedded Systems Security, including Smartphone Security
 - Hardware Vulnerabilities
 - Malware Creation, Analysis and Prevention
 - Web Application Security
 - Network Exfiltration
 - Intrusion Detection and Prevention
 - Security and Privacy in Cloud, P2P Networks
 - Penetration Testing
 - Disclosure and Ethics
 - Digital Forensics
 - Applied Cryptography and Cryptanalysis

We encourage original and groundbreaking submissions, demonstrations, release of a new open source/non-commercial tool, and interaction with the audience.

Each submission will be reviewed by at least three members of the Program Committee.

---------------------------
*Important Dates*
 - *SUBMISSION DEADLINE*:       JULY 16, 2013 11PM59  HONOLULU, HAWAII TIME *EXTENDED*
 - Reviews due:                 August 25, 2013 11pm59 Honolulu, Hawaii Time
 - Decision notification:       September 4, 2013
 - Final paper camera-ready:    September 30, 2013 11pm59 Honolulu, Hawaii Time
 - Symposium:                   November 15, 2013

---------------------------
*Submissions Types*
GreHack 2013 will consider following types of submissions:
    *Full research papers* presenting mature and novel research results. Their total length should range from 10 to 16 pages.
    *Short Papers/Extended Abstracts* describing novel ideas of potential interest to the security research community. Their total length should range from 4 to 8 pages. Papers accepted by the Program Committee will be presented at GreHack 2013. Each paper must include an abstract and a list of keywords, be formatted in a single-column format, use at least 11-point fonts, and have reasonable margins. Templates are available on the website (Latex and Word). Total length includes the bibliography and any appendices.

    GreHack does not require anonymized submissions, thus authors and affiliations must be mentioned. For accepted papers, at least one of the authors must attend the conference and present the paper. Papers must neither have been previously accepted for publication nor submitted in another conference or journal with formal proceedings. Industry conferences such as BlackHat do not have formal proceedings. Further questions on the submission process may be sent to the program
chairs at pc-chairs-2013 () grehack org

---------------------------
* Best Paper Award*
The Program Committee members will select the best paper to be announced and awarded at the last session of the symposium.

---------------------------

*Publishing: Springer JCVHT*
The best papers will be selected from submissions, carefully reviewed, and published in the prestigious Springer Journal in Computer Virology and Hacking Techniques (JCVHT).
JCVHT is an open journal: the access to the papers is free of charges for the reader.

 http://www.springer.com/computer/journal/11416
 http://academic.research.microsoft.com/Journal/890/journal-in-computer-virology

---------------------------

*Program Committee*
 - Dan Alloun (Intel, Israel)
 - Ruo Ando (NICT, Japan)
 - Jean-Philippe Aumasson (Kudelski Security, Switzerland)
 - Sofia Bekrar (VUPEN Security, France)
 - Elie Bursztein (Google, US)
 - Fabrice Desclaux aka Serpilliere (France)
 - Adam Doupe (UCSB, US)
 - Fabien Duchene (LIG, France)
 - Chris Eng (Veracode, US)
 - Peter Van Eeckhoutte aka corelanc0d3r (Corelan, Belgium)
 - Manuel Egele (CMU, US)
 - Philippe Elbaz-Vincent (UJF, France)
 - Eric Filiol (ESIEA, France)
 - The Grugq (Thailand)
 - Mario Heiderich (Ruhr University Bochum, Germany)
 - Pascal Lafourcade (VERIMAG, France)
 - Cedric Lauradoux (INRIA, France)
 - Pascal Malterre (CEA-DAM, France)
 - Laurent Mounier (VERIMAG, France)
 - Stefano Di Paola (Minded Security, Italia)
 - Marie-Laure Potet (VERIMAG, France)
 - Paul Rascagneres aka r00tBSD (Malware.Lu, Luxembourg)
 - Sanjay Rawat (India)
 - Raphael Rigo (ANSSI, France)
 - Nicolas Ruff (EADS Innovation Works, France)
 - Steven Seeley aka Mr_Me (Immunity, US)
 - Fermin J. Serna (Google, US)
 - Nikita Tarakanov (Russia)

---------------------------
*Accepted Author Benefits* (1 author per accepted paper)
 - One free entry to the conference
 - Limited financial participation to author expenses (accommodation and travel). Priority for travel grants will be given to students.

---------------------------
*Submission Guidelines*
Submissions will be handled via EasyChair at:

https://www.easychair.org/conferences/?conf=grehack2013

In the unlikely case that the submission website would be unavailable, you can email your submission to: pc-chairs-2013 () grehack org

---------------------------
*GreHack 2013* — Call For Papers - EXTENDED SUBMISSION DEADLINE: JULY 16 Event: November 15, Grenoble, France

http://grehack.org — Twitter: @grehack

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT  and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org

------------------------------------------------------------------------
 

Friday, June 28, 2013

Cryptography Overhead Analysis With Practical Demostration

What is cryptography?
 
IPSec provides security to the Internet Protocol Layer. It does this by giving us the choices to use any encryption-decryption algorithm along with the mandatory security protocols.. IPSec uses some different important protocols such as AH (Authentication Header), ESP (Encapsulating Security Protocol), ISAKMP (Internet Security Association and Key Protocol) and IKE (Internet key exchange). Each has their own responsibility and functionality. To operate all this functionality, there are two basic modes such as: Transport Mode & Tunnel Mode.

Implementation of IPSEC

The introduction part shows the essential cryptographic design protocols in IPSec. The essential main 3 protocols are as follows :

1.    AH -> Authentication Header
2.    ESP -> Encapsulating Security Protocol
3.    IKEv2 -> Internet Key Exchange v2
4.    ISAKMP -> Internet Security Association & Key Management Protocol

Authentication Header
 
AH provides payload integrity protection as well as data origin authentication. The other important which is provided by AH is anti-relay service. The AH protocol uses the insertion of bit sequence to add the cryptographic protection. It adds AH into the IP packets before it transmit to the end. 
           
Authentication Header

Generally AH contains the MAC value and it is depended upon the particular MAC algorithm used in it. AH must be in a multiple of 32 bits lengths which is used for IPV4 and it has to be in a multiplication of 64 bit length for IPV6. Below table shows the mandatory MAC algorithms being be used for AH described in RFC 4305

Algorithm
Requirement
Key Size (Bits)
Output (Bits)
RFC Reference
HMAC-SHA1-96
MUST
160
96
AES-XCBC-MAC-96
SHOULD+
128
96
HMAC-MD5-96
MAY
128
96

Encapsulating Security Protocol

This protocol is cryptographic transformation. It gives integrity as well as confidentiality in one package, but the primary purpose of this protocol is to provide confidentiality. The ESP header is having a sequence number field and SPI. The below figure illustrates the format of the ESP protocol mentioned in RFC 4303.
Encapsulating Security Protocol



There are some mandatory encryption algorithms which have to be used for ESP which is specified in RFC 4305, in which 3DES,  AEC-CBC, DES-CBC and AES-CTR is used.

Algorithm
Requirement
Key Size (Bits)
Block Size (Bits)
RFC Reference
NULL
MUST
0
N/A
Triple DES-CBC
MUST-
192
64
AES-CBC
SHOULD+
128
128
AES-CTR
SHOULD
128
N/A
DES-CBC
SHOULD NOT
56
64
  
ESP is optional, therefore there is a null encryption which has to be implemented if required. DES CBC is used for general purpose and public demonstration where 3DES is widely used algorithm now a days due to having its longer key length and bigger block size. Thus all encryption algorithms are used in a different manner as per their need.

Internet Exchange Key


The main role of IKE is exchanging messages between the two ends. The best way to learn IKEv2 is to compare it with IKEv1.The essential features of IKEv2 is identity hiding,  Negotiation of cryptographic function, flexibility and the variety of securities. There are mainly 2 phases in IKEv2 the first phase is called IKE-SA. Once this phase is initiated, it is used it is used to send the messages between 2 peers. Below figure shows the architecture of IKE phase.


Internet Exchange Key


Generally IKE protocol uses UDP packets on port 500. On an average it requires 4 to 6 packets in order to create SA at the both ends. After this SA creation key material will be provided to the IPsec stack.


Internet Security Association And Key Management Protocol
It is responsible for defining all procedures at both ends. It also plays a vital role in authenticating procedures. It generates SAs and it also manages key integration. ISAKMP has an ability to prevent Denial of Service Attacks. It defines the packet format for the establishment and negotiation of security. It also defines the payload for key generation which gives a constant framework for exchanging authenticated data as well as key. ISAKMP and key exchange protocols both are different things.


ISAKMP
Generally it is implemented on a transport level protocol which uses UDP protocol on 500th port number.
 
IPSEC ALGORITHM  KEY LIMITATIONS


  •     IPSEC limitation can be expressed in terms of lack of expressive power in IPSEC policy control. Also there can be lack of application control on the different different polices.
  •     The biggest challenge in IPSEC is the deployment. Also authorization handling is a big challenge in the IPSEC mechanism because it needs security as well as application information.
  •     As we have seen that cryptographic algorithms are used in a different manner and need, at a same time there are a couple of limitations in cryptography algorithms. Some of the major algorithm scenario and their limitations are shown below:
  •     Talking about DES, it uses 64 bits of key size. In this DES 8 bits of all 64 are used for the odd parity. This is the cause of less effectiveness of this algorithm also DES have compromised on many occasions. There are some specially crafted hard-wares which can crack DES in some few hours. Due to this researcher are motivated to invent more secured DES. Thus the 3DES algorithm born which does the triple repetition of the DES encryption. It can be said that 3DES is able to use a larger key length of 112 bits. It is quite obvious that 3DES runs 3 times slower than normal DES due to a large number of key size repetition processes.
  •     MD5 and SHA1 are both single way hash functions. 512 blocks of bits are used to create 128 and 160 bit hash values. The limitation of them is they cannot be used directly as MAC algorithm due to not having a secret key. This is the reason that why they are being used in conjunction with key hashing technique.
  •     RSA algorithm requires modular exponentiations which lead it towards its main 2 limitations such as large memory space and the more complexity for computational performance.

IPSEC OVERHEAD ANALYSIS

To measure the IPsec overhead, firstly we need to measure the CPU cycle processing. This analysis can be done on essential security algorithms such as DES, 3DES, AES, HMAC-MD5 and HMAC-SHA1. There is a processing overhead as we all know in IPsec, but apart from it there is one more extra overhead which is called space overhead. It is generated by the increased size of packets transmitted on both ends. 

If the application is lighter weighted such as DES, HMAC-MD5 and HMAC-SHA1, then it does not in decrease more system throughput, which has a null impact on the total delay of the process. Here the MS processing rate is 100 MIPS or around it. On the other hand 3DEC and AES are more complex which uses bigger size of key length such as 192 and 256 bits. No doubt that it provides resistance against the targeted attacks but the high volume of processes decrease the throughput of the system. Here the MS processing rate is more than 300 MIPS. AES, DES and 3DES generate more strain on the system.

Overhead is not only depended upon the encryption algorithms but it also depends upon the size of the data which you are sending. Here in my demonstration I have rapidly increased the packet size to send from source to destination and we can clearly see that, as the number of packets are being increased the time taken to send each packet is also getting increased. We can also able to determine the fluctuation in time to send each packet.


C:\Documents and Settings\Administrator>ping -l 16000 10.10.10.11

Pinging 10.10.10.11 with 16000 bytes of data:

Reply from 10.10.10.11: bytes=16000 time=4msTTL=128
Reply from 10.10.10.11: bytes=16000 time=6msTTL=128
Reply from 10.10.10.11: bytes=16000 time=7msTTL=128
Reply from 10.10.10.11: bytes=16000 time=6msTTL=128

Ping statistics for 10.10.10.11:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 4ms, Maximum = 7ms, Average = 5ms

C:\Documents and Settings\Administrator>ping -l 32000 10.10.10.11

Pinging 10.10.10.11 with 32000 bytes of data:

Reply from 10.10.10.11: bytes=32000 time=10msTTL=128
Reply from 10.10.10.11: bytes=32000 time=14msTTL=128
Reply from 10.10.10.11: bytes=32000 time=9msTTL=128
Reply from 10.10.10.11: bytes=32000 time=13ms TTL=128

Ping statistics for 10.10.10.11:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 9ms, Maximum = 14ms, Average = 11ms

C:\Documents and Settings\Administrator>ping -l 64000 10.10.10.11


Pinging 10.10.10.11 with 64000 bytes of data:
Reply from 10.10.10.11: bytes=64000 time=18msTTL=128
Reply from 10.10.10.11: bytes=64000 time=28msTTL=128
Reply from 10.10.10.11: bytes=64000 time=27msTTL=128
Reply from 10.10.10.11: bytes=64000 time=16msTTL=128

Ping statistics for 10.10.10.11:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 16ms, Maximum = 28ms, Average = 22ms

Here we can clearly see that as the packet size/buffer size is increasing the time taken to send the packet is also getting increased and there is a fluctuation in timing for each packet to be sent and that causes large average time.

This is just a basic simple analysis of one machine to another machine with some simple encryption and hashing techniques.  Researchers of the university of Athens have found how the delay gets increased with the use of different     encryption  algorithms. The below figure illustrates the results presented by those researchers.
Total Mean Delay Analysis By Processing 100 MIPS

It is very clear from the graph that DES produces higher delay than other encryption techniques. On the flip side of it, it does not affect the rate of data transfer on the system. We can also see that 3DES and AES are those encryption methods which have a stronger impact on delay taken by packets in transmission. It is very clear from this graph that if the amount of data rate is increased then the total mean daily will be decreased compared to one another.

IPSEC Key Attacks

To improve the encryption and integrity standard we need to understand the previous IPSec key attacks well in deeper. So that we can secure our IPSec standard in a more efficient way in the future. There are some well known attacks on the IPsec key which are as follows:
    • Padding Oracle Attack = Side Channel Attacks
    • Chosen Plain Text Attacks = Plain Text Injection Attacks
    • Options Based Attacks
    • Splicing Attacks
Padding oracle attack is also called as side channel attack. This attack performs padding on messages. These attacks are mostly associated with CBC decryption, which are used in the block cipher. These attacks are widely used in the world for decrypting the cipher text without knowing the key. These attacks are broadly used to crack the CAPTCHAsystems.
In Choosing Plain Text Attack, the attacker chooses the arbitrary plain text in order to decrypt the cipher text. This attack has also an ability to revel the secret key of the whole cryptanalysis process. At the time of world war 2, Gardening Machine was used to crack the codes of the Enigma Machines with the help of plain text injection attacks.

In Choosing PlainText Attack, the attacker chooses the arbitrary plain text in order to decrypt the cipher text. This attack has also an ability to revel the secret key of the whole cryptanalysis process. At the time of world war 2, Gardening Machine was used to crack the codes of the Enigma Machines with the help of plain text injection attacks.
 
In Option Based Attacks, only cipher text is presented against the ESP. The complexity of this attack is more than average 214 trials. The number of trials can vary for 64 bit key length and 128 bit key length.

Splicing attacks are done on ESP. If ESP is used without any authentication then an attacker can intercept anyone’s packet because both the transmission will be on the same SA. Then he might use CBC splicing in order to place a new UDP packet instead of original one. Thus, reinjection of data can be done by using this attack.

Conclusion

Thus IPSec uses a security policy to secure the communication channel as well as the messages. It supports network level end-to-end authentication, payload authentication, confidentiality and integrity. One can use different algorithms and encryption techniques for their desired security.


Demostration : IPSEC Configuration between 2 XP machines
  

References

  1. CHRISTOS XENAKIS*, NIKOLAOS LAOUTARIS, LAZAROS MERAKOS, IOANNIS STAVRAKAKIS, A generic characterization of the overheads imposed by IPsec and associated cryptographic algorithms. Communication Networks Laboratory, Department of Informatics and Telecommunications, University of Athens, Athens 15784, Greece.
  2. S. P. MEENAKSHI,S. V. RAGHAVAN, Impact of IPSec Overhead on Web Application Servers.
  3. Mr. Hitesh dhall, M. D. (2012). IMPLEMENTATION OF IPSEC PROTOCOL. Rohtak, India .
  4. Nikander, J. A. (n.d.). Limitations of IPsec Policy Mechanisms. Jorvas, Finland: Ericsson Research NomadicLab.
  5. Paterson, J. P. (n.d.). Attacking the IPsec Standards in Encryption-only. Bristol, UK.
  6. Paterson, K. G. (2006). A cryptographic tour of the IPsec standards. Elsevier Ltd.
  7. S. P. Meenakshi, S. V. (2010). Impact of IPSec Overhead on Web Application.
  8. (n.d.). Retrieved from http://www.onlinebusiness.newstipstricks.com/wp-content/uploads/2013/03/Cryptography.png
  9. JARI ARKKO, P.N., Limitations of IPsec Policy Mechanisms. Ericsson Research NomadicLab, 02420 Jorvas, Finland.
  10. JEAN PAUL DEGABRIELE,KENNETH G. PATERSON, Attacking the IPsec Standards in Encryption-only Configurations. Information Security Group, Royal Holloway University of London, Egham, Surrey TW20 0EX, UK,Hewlett-Packard Laboratories, Bristol Filton Road, Stoke Gifford, Bristol BS34 8QZ, UK.
  11. KENNETH G. PATERSON, 2006. A cryptographic tour of the IPsec standards. Information Security Group, Royal Holloway, University of London, Egham, Surrey TW20 0EX, UK.
Source : http://infosecninja.blogspot.com/2013/06/cryptography-overhead-analysis-with.html