03-04-2016. Joseph M Gant.
SSL and TLS servers have fallen
prey to a newly developed attack. Though SSLv2 has been considered obsolete for
some time, it still exists on many servers. This is due mostly to poorly
maintained systems or older servers that still make their connections via
SSLv2, either by default or due to poor configuration.
DROWN (Decrypting RSA with
Obsolete and Weakened eNcryption) steals information through VPN connections
made to web and mail servers that use SSLv2. Even systems using a more modern
encryption method are prone to this exploit if they connect to systems which
still employ the obsolete SSLv2. Thirty-three percent of browser-trusted HTTPS sites
are in fact vulnerable to DROWN attacks. This is because faults in SSLv2 are
used by DROWN to exploit TLS connections when these protocols communicate with
each other. It is a serious, cross-platform threat.
To counter DROWN, one should ensure
that SSLv2 is disabled on their systems and prevent the sharing of private keys
to servers that use the protocol. There is no need to reissue certificates. And
as always, be sure that one's crypo packages are up to date. Tools like public_drown_scanner
and drowncheck
are hosted on Github and are recommended if one fears that a compromise has
occurred. OpenSSL released a patch last Tuesday to address this threat.
Focused on antivirus evasion, the Veil
Framework is a suite of security implementations geared toward detection
evasion: Veil-Evasion uses a variety of techniques to generate
antivirus-evasion. Veil-PowerView is a powershell tool used to gain network
access in Windows machines. Veil-Catapult is a psexec-type of system that works
with Veil-Evasion, and Veil-Pillage is a post-exploitation integration of
Veil-Evasion. The recently updated Veil Framework is aimed at pentesters, but
is likewise a threat to be aware of.
The glibc DNS client, libresolv,
has had a vulnerability exposed which makes it susceptible to stack overflow
attacks. This allows for remote execution of code including ssh, php, sudo, as
well as others. Under prime conditions for attack, a discrepancy in the stack
buffer, generated by larger than normal DNS requests, creates a stack buffer
overflow. Most exploitable fronts are protected by technologies like ASLR and
stack-overflow-protection which can be built into the software when compiling
applications locally. Information on building software with a hardened
toolchain can be read here Hardened Gentoo.
Linset is an 'evil twin'
bash script circulating through darknet circles. 'Linset' is a recursive
acronym-- 'Linset Is Not A Social Engineering Tool.' Linset performs the
following:
- Scan networks
- Capture handshakes
- Mounts FakeAP
- Serves DHCP on FakeAP
- Creates DNS server to redirect traffic from the host
- Deauthenticates users on the network in order to
connect to FakeAP and introduce
passwords
- The validity of introduced passwords is checked
- The attack ends upon successful, authenticated,
password capture
Linset is simply a bash script
implementing a number of applications such as aircrack-ng, dhcpcd, and hostapd
to name a few. Most of these tools are found on any Linux distribution that
ships a full suite of applications, and the well known pentester distro, Kali
Linux contains all of these tools and more to round out Linset as a threat.
Linset ships in Spanish and in the hands of any scrip kiddie with a working
knowledge of Espanol and a keyboard, can be dangerous. While its unlikely
Linset will be able to hijack an enterprise server, the cyber vandalism it can
cause is troublesome to repair.
Sources:
http://76qugh5bey5gum7l.onion
Joseph Gant is a guess blogger, a security junky and a glassblower by trade. Though he holds degrees a degree in Scientific Glass technology, his life's study encompasses many variables --a long-time student of Tibetan region and culture, science, music, and a lover of literature.
