* A mythical story about me
    * A demo for digital investigation and some brainstorming activities for an assassin plan
    * A demo for web application security includes port scanning, information gathering from http, https ports, banner grabbing, etc
    * Detailed information about OWASP and OWASP Turkey
    * Definition of Cyber World Concept
    * Examined the security necessity on cyber world
    * Defined cyber security concept
    * Talked about Terrorism, cyber-terrorism, cyber wars
    * Gave a functional approach to Terrorism
    * Highlighted the importance of web application security, threats, attack vectors, DoS, Buffer overflows, Injections,etc.
    * Generated a wide and deep multidisciplinary cyber security perspective
    * Finally, we talked about how we can prepare ourselves for future threats a little.

Actually, I was surprised by both seminars. I was planning to talk around 50 minutes however people were interested in the topic more than I could guess. So, I had to talk around 2-3 hours which I really enjoyed.

I think both seminars gave a new perspective about the future definitions of security and risk to listeners. I will write about these topics on this site later.

On the other hand, I will be in a IPTV show to talk about cyber terrorism with two lawyers soon, but before that, on the 29 April 2010, I will be in Yeditepe University, Istanbul to talk about cyber-terrorism for the Information Technologies Law Organization.

Besides that, I have a almost new job somewhere in Europe. I will also tell the details about that.

I will be in Istanbul Kultur University for a free seminar supported by OWASP. Fundamentally the topic will be about Cyber Wars, but also, will include;

• What is OWASP, OWASP Projects, seminar, society, etc.
• Internet as a new social and cultural domain
• Cyber world as a new milieu
• Why do we need a security perspective?
• First aggressions on the Internet
• Size and Shapes of threats
• Threat hierarchy of timeline
• Organized cyber crimes and cyber wars
• Cyber World and International Relations
• Terrorism and Cyber Terrorism
• How can we prepare for the future ?

Date: Tuesday, December 29, 2009
Time: 12:00pm – 1:30pm
Location: İstanbul Kültür Üniersitesi, Ataköy Kampüsü, Önder Öztunalı Konferans Salonu

http://www.webguvenligi.org/etkinlik/sunum-istanbul-kultur-universitesi.html
http://www.owasp.org/index.php/Turkey#tab=Meetings.2FConferences
http://www.owasp.org/index.php/Turkey#tab=Local_News.2FBrochure

Using SNMP it is possible to obtain the condition of a hard-drive partition, uptime of Switches, Routers, UPS, etc or traffic density on the port of a Router, etc. and run into Application Layer on TCP/IP stack. Furthermore, it runs multitude devices and operation systems such ;

• Core Network Devices (Routers, Switches, Hubs, Bridges, and Wireless Network Access Points)
• Consumer Broadband Network Devices (Cable Modems and DSL Modems)
• Consumer Electronic Devices (Cameras and Image Scanners)
• Networked Office Equipment (Printers, Copiers, and FAX Machines)
• Network and Systems Management/Diagnostic Frameworks (Network Sniffers and Network Analyzers)
• Networked Medical Equipment (Imaging Units and Oscilloscopes)
• Manufacturing and Processing Equipment, etc. 

The agent module which works and collect the information on the intended device, the manager part that interacts with the agent and takes the data from it, additionally, network management element which works on the manager and provides all the devices visible, traceable and reconfigurable, are the three main components of the SNMP protocol in order to work properly.

SNMP is a request-wait for apply based protocol. Network Management Component sends a request to a device that consist of Agent module, and after that the Agent returns the reply of the request to network management component. Management and Monitoring issues are handled five different types of messages in SNMPv1 which is is formally defined in RFC1157 : GetRequest, SetRequest, GetNextRequest, GetResponse, and Trap.

A single SNMP message is referred to as a Protocol Data Unit (PDU). These messages are described using Abstract Syntax Notation One (ASN.1) and translated into binary format using Basic Encoding Rules (BER). SNMP request messages are sent from managers to agents. Request messages can poll the agent for current performance or configuration data, ask for the next SNMP object in a Management Information Base (MIB), or modify configuration settings. SNMP agents should reliably decode request messages and process the resulting application data.

OUSPG’s research focused on the manner in which SNMPv1 agents and managers handle request and trap messages. By applying the PROTOS c06-snmpv1 test suite to a variety of popular SNMPv1-enabled products, the OUSPG revealed the following vulnerabilities:

VU#107186 – Multiple vulnerabilities in SNMPv1 trap handling

SNMP trap messages are sent from agents to managers. A trap message may indicate a warning or error condition or otherwise notify the manager about the agent’s state. SNMP managers must properly decode trap messages and process the resulting data. In testing, OUSPG found multiple vulnerabilities in the way many SNMP managers decode and process SNMP trap messages.

VU#854306 – Multiple vulnerabilities in SNMPv1 request handling

SNMP request messages are sent from managers to agents. Request messages might be issued to obtain information from an agent or to instruct the agent to configure the host device. SNMP agents must properly decode request messages and process the resulting data. In testing, OUSPG found multiple vulnerabilities in the way many SNMP agents decode and process SNMP request messages.

Vulnerabilities in the decoding and subsequent processing of SNMP messages by both managers and agents may result in denial-of-service conditions, format string vulnerabilities, and buffer overflows. Some vulnerabilities do not require the SNMP message to use the correct SNMP community string.

The CERT Advisory goes on to report the impact of these vulnerabilities:
    1. unauthorized privileged access
    2. denial-of-service attacks
    3. unstable behavior (service interruptions)
The CISO needs to keep the following concerns in mind when managing risk in the enterprise.

1. Threat: Fuzzing – Exposed Shared Secrets: A major vulnerability of SNMP v1/v2c is that the shared secret is sent in the clear; it is not encrypted. This is true whether the SNMP request is querying counter information, inspecting topology data, or reconfiguring the device. Since the shared secret is not hidden, an attacker can monitor the SNMP traffic to determine network topology and harvest those shared secrets. Among hackers, this is called fuzzing; amongst security professionals, this is Packet Sniffing.

   For example, using SNMP v1/v2c in an insecure network such as a DMZ means an attacker can monitor SNMP traffic and get community strings to perform their own queries or reconfigure devices using SNMP SET. By monitoring SNMP traffic or performing a query directly, an attacker can quickly determine the sysObjectID for each device. The sysObjectID tells the hacker the kind of operating system (OS) the device has. Knowing which OS allows the attacker to determine a suitable target and pick suitable tools to use against that target.
    

2. Threat: Service Interruptions: Vulnerabilities with decoding and processing the SNMP request message (whether a trapor request) in various software products is exploited by the Badly Formed SNMP Trap Attack. The impact of this attack is to blind the management software (prevent it from receiving more traps by causing it to crash) or blind the agent (making it unable to be queried by causing it to crash). The ability of the management software to continue to manage is degraded at best or disabled at worst.

   From within a DMZ, an attacker can reach the management software in the secure network when holes in the firewall are open to allow SNMP traffic or SNMP traps through directly. The attacker constructs special packets with ASN.1 decode errors. When the management console receives the message, it may exit abnormally. When critical daemons exit abnormally, the management software is degraded, causing service
   interruptions.
    

3. Threat: Denial Service : The denial-of-service attack disables management software by sending to a host more SNMP traffic than the host can process. The backlog of traffic to process causes the SNMP agent or manager to dedicate an unbalanced amount of CPU to process the attack’s traffic.

   From within a DMZ, an attacker can flood SNMP traps to the management console when SNMP traps are permitted to flow through firewalls from the DMZ to the secure side. This flood of traps (whether they are bogus or legitimate) causes the management software to backlog. The software uses too much CPU while processing the backlog, causing the management software to stop functioning effectively.

4. Threat: Unauthorized Privilege Access: This threat is the most feared by system managers – a vulnerability that can provide the attacker elevated, privileged access on a host or network device. A common vulnerability is caused by buffer overflow, but is specific to the software processing the SNMP packet.

   If an attacker determines SNMP v1/v2c SET community strings, the attacker can execute privileged commands. On networking devices, privileged commands may be used to reconfigure the device to behave undesirably. With advanced host agents, commands may be sent to the agent, which then execute in privileged state.

Today, mitigating risks with the SNMP protocol involves the choice of one or more mitigating factors:

• using SNMPv3 (not v1 or v2c),
• deploying an IPS appliance to protect against denial-of-service, or
• a management protocol proxy firewall which verifies SNMP traffic to ensure its authentic and valid as well as mitigating SNMP-based attacks.
• changing the community strings after set up SNMP
• keeping the protocol up to date

All the Resources are in the Reference Page.

The pupil never went out at night again.

• 10/07/2009 -- No Water, No Moon (0)

After the downloading, you should extract the files you downloaded to /opt

tar xvfz yourxammp.tar.gz -C /opt

If everthing goes ok, you have to start the lammp at first with "/opt/lammp/lammp start"

Then you can try if it works or not with your browser by trying to enter the http://localhost

The parameters you can use for XAMMP below

start, stop, restart, startapache, startssl, startmysql, startftp, security

Ex. /opt/lammp/lammp restart

hello :- display(‘Hello World!’) , nl .