Scanning a Linux system for vulnerabilities can be a lot of fun. I have used Nessus to find SSH vulnerabilities like Heartbleed.
I was doing penetration testing on a Linux machine and I found a Heartbleed bug.
Vulnerability Explanation: The installation of OpenSSL on the Linux webserver was found to be vulnerable to the Heartbleed bug. A Nessus scan was run against the webserver and this was one of the many vulnerabilities found. An error exists related to the implementation of the Elliptic Curve Digital Signature Algorithm (ECDSA) that could allow nonce disclosure via the ‘FLUSH+RELOAD’ cache side-channel attack. (CVE-2014-0076) - An out-of-bounds read error, known as the ‘Heartbleed Bug’, exists related to handling TLS heartbeat extensions that could allow an attacker to obtain sensitive information such as primary key material, secondary key material, and other protected content. (CVE-2014-0160)
Vulnerability Fix: Upgrade to OpenSSL 1.0.1g or later. Alternatively, recompile OpenSSL with the ‘-DOPENSSL_NO_HEARTBEATS’ flag to disable the vulnerable functionality.
Another massive vulnerability is the practice of storing database backups on a directory that is facing the Internet, then you can just download the database and other files if they are available, then the website can be exploited. This happens a lot. I once found a whole website backup with .htacccess files and all. This needs to stop. It was a web developer business too. Very embarrassing for them if the info got out.
Another vulnerability I have found is an SQL injection attack.
Vulnerability Explanation: A custom web application identified was prone to SQL Injection attacks. When performing the penetration test, I noticed error-based MySQL Injection on the taxid query string parameter. While enumerating table data, I was able to successfully extract login and password credentials that were unencrypted that also matched username and password accounts for the root user account on the operating system. This allowed for a successful breach of the Linux-based operating system as well as all data contained in the system.
Vulnerability Fix: Since this is a custom web application, a specific update will not properly solve this issue. The application will need to be programmed to properly sanitize user-input data, ensure that the user is running off of a limited user account, and that any sensitive data stored within the SQL database is properly encrypted. Custom error messages are highly recommended, as it becomes more challenging for the attacker to exploit a given weakness if errors are not being presented back to them.
Maintaining access to a system is important to us as attackers, ensuring that we can get back into a system after it has been exploited is invaluable. The maintaining access phase of the penetration test focuses on ensuring that once the focused attack has occurred (i.e. a buffer overflow), we have administrative access over the system again. Many exploits may only be exploitable once and we may never be able to get back into a system after we have already performed the exploit.
I added Administrator and root level accounts on all systems compromised. In addition to the administrative/root access, a Metasploit Meterpreter service was installed on the machine to ensure that additional access could be established. Another approach is to use a custom payload that will replace Linux utilities, this means that the impact of the malware is invisible, as the familiar programs a system admin uses to check the system will only show him/her what the attacker wants him to see. This is very hard to get rid of. A system infected with a rootkit is better off wiped and reinstalled from scratch, it is difficult to know that is a system file or one that has been replaced by the malware payload.
The house cleaning portions of the assessment ensures that remnants of the penetration test are removed. Often fragments of tools or user accounts are left on an organization’s computer which can cause security issues down the road. Ensuring that we are meticulous and no remnants of our penetration test are left over is important. When an employee leaves a company, ensure that the user account belonging to them is removed promptly. This is very important. Monitoring exploit databases and mailing lists is another good way to keep track of any vulnerabilities in your applications. This way, you can keep ahead of the malicious users who will try and attack your site.
Vulnerability database: https://www.cvedetails.com/.
Vulnerability mailing lists: https://nvd.nist.gov/general/email-list.
Insecure.org. Find information on vulnerabilities here: https://insecure.org/.
Infotech Management Services Pty. Ltd.
The best approach to securing your small business.