The most demotivating thing about this job is that most small businesses haven’t caught up to technology.  Most small businesses believe that having a website means they are online and have an online presence.  Usually, this is not the case, in fact it is the opposite as it gives you the sense of feeling safe when your not.

SEO

SEO the main reason small business websites fail is not because of their design, sometimes they look beautiful.  Having good SEO practices really makes a website shine to people.  It can make a badly designed website have a thousand hits a day and a good design website have less than ten.

DESIGN

SEO can make a bad website have 1,000 hits a day.  Good design will make them want to stay.  This is where graphic designers and the business itself shines in terms of showing off creativity or professionalism.

USABILITY

Usability is not necessarily what makes people stay.  Instead, bad usability will make them leave and good usability means they should never have to think about it.  When you find a link on a website you should never think that it was easy to find, if you did you were probably at some badly designed websites prior.  This is where programmers and designers shine together.

Most important!

The most important thing is to have Good SEO, Good Design, Good Usability and you will have a great website.  Anyone can make a website.  Not everyone can make a good website to hit all 3 points.   Oh, and don’t forget security, but that is another post.

So in conclusion having a website doesn’t mean you have an online presence.  Sometimes if the website is bad it actually pushes clients away.

Think your website is good and want to show us? Call us for your FREE Consultation and let us tell you anything that is wrong.

239-465-3874

OK so we didn't test Sony's security.  If you don't want something like this to happen to your business get your security pentested.  Everyday a business goes down.  This time though it being Sony,  many people are starting to take security a little more seriously….Finally.

Ok I will Admit..

OK so I agree Sony was probably pretty arrogant and not checking there security most likely thinking.."Really?  I am Sony. I no be hackz."  Which is apparently untrue.  I mean they have been hacked 20 times already…I also read I am not sure if it's true but they fired some network security people before the breach…seems like a bad decision to do that….also I will put on the list could of been partly inside job, but hey I don't know maybe they got fired for not securing it very well /wink.  (Check out the list of hacks and details Here)

Either Way Hacktivist.

I enjoy hacktivism and hacktivist.  I enjoy reading about it.  I enjoy it more than the 1000's of sites I see hacked for no reason other than sport.  I also am excited to read these.  Just as if I was watching historical events taking place before my eyes.  Of course I love Sony products…..OK I will take that back I really only like there gaming systems and games.   Either way I think this will increase the security overall of the computer world in the end. 

I Am Drowning in Information!

Now What Do I do?

Now that you have plenty of information you would think that the information gathering step is done….WRONG information gathering is the whole process of social engineering.  You use social engineering to gather more information depending on your goal.  Some of the things I do with information is split it up between someones personal information and secure information.  For instance pet name and username/passwords.  Remember we are a company and we do not go any further than this as information gathering.  If I have usernames/passwords I have finished my job with that company and have more than enough information to explain some of there issues to them.  Some things you may do if you do not have any secure information and all personal is use it.  Using personal information to gather secure information is usually not a hard process.

Personal Information…I Don't Care About Spouse Names!

WAIT! Don't Throw Those Out Yet.

Some ways to use personal information:

Infiltration: Using it to gain further access into the building by social engineering. 

Developing Trust: Using knowledge about other employees to show that you "really" are friends.  Before this confuses you let me give you an example:

CORRECT :  "Hey, Sally how is Matt's wife Jasmin doing?"

WRONG: "I am really friends with you guys Sally, Matt's wife is named Jasmin."

Gaining Secure Information:  Some social engineering and you got some passwords and such. For instance after developing trust then go about telling them you need to fix there computer.

OoOoOo Passwords

Keep Reading.

Some ways to use Secure information:

Give Information:  Give the information you gathered to the person that would be interested in securing it.

Sorry guys.  My company stays on the White hat side of things.  So we do not use the Secure Information.  We would then give it to the person who hired us within the company.  (Usually the manager or CEO of the company)  So that they could secure the information better.

[video src=http://crystalatatrium.com/wp-content/uploads/wifi.mp4]

Here is the link to the NBC page.

Wifi Warning – NBC-2.com

Viruses Is there a cure?

Short answer…No

Why are viruses made you ask?  Well mainly 3 reasons.

1. Because someone whether it be a kid or adult was seeking revenge or just bored.

2. Making a name for themself….this doesn’t happen as much anymore just because viruses are easy to make and your no better than your peers if you do it.

3. Money. Infecting many people is profitable.

Lets think of an example.  Say you get a virus and it says  “OH NO your infected we found 1,000,000,000 viruses.  These viruses are taking your identity/credit card information. If you buy this anti-virus we can clean it.” It looks like an antivirus. Any time you try to do anything on your computer it is running slow.  Many things won’t open. This “Anti-Virus” keeps saying it found stuff.

So you think your computer will be faster and clean after you pay….so you do.  CHA-CHING.  They made money and they have your credit card info….also 95% of the time. They do not even remove the fake Anti-Virus so it still is slowing down your computer and causing issues you don’t even see. This is just one of the many ways viruses can be lucrative. Since viruses make money.  We will never rid ourselves of them. If you infect 100 people 1 or 2 will fall for it.  So what if you infect 100,000? Exactly.

What Do I Have?

Did you use protection?

In the subject of viruses there are many different types.  Lets go over the basic tree since everything can be branched off from there.  I will give basic explanations.

Virus- Infects one computer and can only spread to another with the help of a human. They use tricks to get you to help them spread.(Like plugging your thumbdrive into multiple computers.)

Worms- They spread with very little human interaction.  Of course they would spread through thumbdrives also but, through the network and through the internet.  This is what there made for. To spread and replicate.

Trojans- Trojans are more like a virus in the sense they usually only infect 1 or 2 machines and are not made to spread without humans.  These try to coin themselves off as something else…like that game you downloaded yesterday.

Viruses don’t break your computer.  People do.

So don’t hate them

Viruses also help give people jobs such as research and development of anti-virus software…Real ones. Also though when people buy those SEO services where they bring traffic to your website or when you buy many other SEO services usually they are made from BOTNETS basically a botnet is just a term for many computers who have been infected and can now be controlled with the virus.  Your computer may be part of a spamming botnet and you may never know.  You may just think your computer runs slow.

OMG I AM INFECTED!! I Guess Ill Burn It

Wait!.  Usually you just need an Anti-virus or Anti-Malware

The following is by no way the best.  In fact there is no such thing as the best.  NOT ONE anti-virus can catch all the viruses.  However, these are my favorite and personal experience best results.  Some of these need some kind of computer knowledge.  Like with HijackThis don’t just go checking everything and removing it or you will break your computer.

Hijackthis
Malwarebytes

Kaspersky TDSSKiller

Kaspersky Anti Virus Or Avast! but not both…

What else is there to know?

CMS

Before I got into that let me explain a few things.  CMS stands for Content Management System.  They are easily deployed and set up.  They provide a way for quick effecient deployments of websites and pretty secure.(By themselves. That is without plugins) Without plugins however they are quickly inefficient.

Well lets see.  You may already know if there on a CMS by certain aspects that stand out. Also some things that are not changed when someone makes a site with a CMS so the default is still sitting there.  Such as if you go to a site and look in the source and see something in the meta “Just Another WordPress site” guess what CMS there using?  There are many default configurations to look for and you will learn as you go.  No need to study them or anything.  If there on a CMS find out what plugins there using.  This may take some practice on what to look for but for instance look on the sidebar look for photo galleries.  These things do not usually come with the CMS, but are plugins to give it more functionality.  Ok so that was a quick CMS side.

I Can’t Find out the CMS

Either you have not learned enough or they are not using one

So what about the many people that are not on a CMS.  Well getting details is harder however penetration is easier…..usually. It really depends on your target.  If a huge corporation hired you to do this they probably have website techs who keep up the security.  Although if it is a smaller company usually the security is not up-to-date for websites.  Remember” there are exceptions to every rule”…except for the rule that “there are exceptions to every rule”.(I don’t want to cause a paradox).  Back on topic these websites you will look for extensions, directories, anything you can read.  Javascript is easily opened.  PHP and SQL are usually easily spotted. ASP is used much more often than I anticipated in the past but offers no more security than PHP or SQL and in my experience the websites usually have less security than ASP could give.  Look in the source find different file names.  Such as where a form is posting.  This will usually give some kind of inclination of what the website is built with.

Lets do some testing

Use a proxy and remember have permission

So first use a proxy because if you get caught while testing it doesn’t look good. Lets check some ports.  Try to test the different ports for a website. Best ones to test are commonly opened ports.  Try FTP and SMTP.  Try the secured ports.  Try going to the site through 8080.  I have seen a website have the capability for 8080 but not be setup properly.  This was good later when I convinced the IT guy that I was there to help him secure it.  Remember this is an information gathering phase…no bruteforcing and such.

Watch for the next part of this long tutorial

Yea I guess thats true.  Maybe I should of called it the mind.  Anyway it will make more sense as I explain it. This will be a multi-part blog. If this is your first post your reading I would recommend reading my Hacker Roadmap.  If you think your ready or your just too lazy to read the other one then continue on. Before you read on please read the disclaimer. 

What you may need to understand this:

Basic knowledge of how a website is built.

How to view source-code of a webpage.

Some basic HTML knowledge.

So this guy Doug Hotz asked me how I would go about hardening a network. Well Doug the most effective way is not the fastest.  It will take much time.  Best way to do it is to find the area that is the weakest. You will have to think like someone who wants to break into it, not someone who wants to protect it. Most of the time the weakest link of a network are the people who run it.  Remember there is no patch for human stupidity.  Now I can’t stress this enough.  If you haven’t practiced this and/or your just getting into the trade do not think for a second that since you couldn’t trick some guy into giving you his password that it can’t be done.

Information Gathering

So should I bring a bucket?

Information gathering is probably one of the most important steps when doing penetration testing. The more information you have, the more you can get.  The more information you get, the easier it is to get in. i.e. passwords anyone?.  The information gathering step never stops even when you have moved on from this step you will still be gathering information just not so aggressively. Best way to get information is physically. Yes that means getting out of the house and off the computer.

Where should I start?

Right there in front of your Internet capable device.

I know I said the best way is to be there in person. However you can just walk in a place and expect them to trust you.  Actually you do, but you need some stuff first.  Find out who your target is.  Is it a person or a company or a company personnel. Do a google search, facebook search, domain name search, find out who owns the domain, find out the bosses names, the names of anyone important and there spouses or pets. Use all this information.  

Also a really good way is if it is a company set up an appointment with someone in the building just so you can walk around.  If possible get lost. Take pictures. Take video. Try and find there network room. Look at much of the network. 

Need more information? Dumpster diving for trashbags of paper is an old school, but still in some cases effective.  Mainly on smaller companies. Next lets go with people.  People are really handy since the brain can store more information than anything we have.

Now lets go over each one of these individually. 

Searching…Searching…

404 error rhetorical question not found.

So the web to search.  I can’t help much here since it is self explainitory.  I will just go over some sites you can use and what to look for. Start at the website if they have one available.  What do you see? Nice pictures? Pretty colors? What else? 

Lets talk about pictures.  Well if you look at each one they have to be stored somewhere right? Now you have a directory or two that you know of.  Does the directory say anything specific? For instance if you saw templates/rt_chromatophore/images/someimage.gif what would that say.  It should say “rt_chromatophore?” thats unique. Now you found something that may give you some info.  Lets google “rt_chromatophore”.  Before I even finish typing it the helpful google already gave me the answer.  I now know its a joomla site.  The images is not the only thing that would give you information.  What about the directory of the stylesheets, javascript files.

What else can I look for?

Everything and anything means something….but here is a couple of tips

When you see a form such as enter your username and password or even just a contact form. What is the submit button doing? Is it a post? Where is the post going? what page is the form is posting too.  Look if there are any hidden form elements.  Look in the source code are there any comments in the code that will give you any information or meta tags people forget to change often provide you with very good info.  These are all things the attacker will use when profiling the target. What if you find an email address.  Doesn’t seem like a big deal right? Well is the email going to the same domain as the site. Then you may have just found yourself a username.

Did you find these things when you first looked? 

Even after all those little tips we have barely hit the tip of the metaphorical iceberg. So try and find a site that your interested in.  It is not illegal to read source code.  Although it is to try and break into a site without permission so I do not condone that.

Now Part 2 will also be on information gathering.  I will finish up the web aspect of it and move on to the physical side of gathering information.

I know there are many sql injection tutorials.  However I will write this one mostly for the people who do not have much knowledge of SQL or programming.  This tutorial is for people that want to know how it works not how they can use it. However if you do know basic programming in php and sql then you will also learn the latter.

Quirky text in bold’ OR 1=1

Ok so best way to put this in an example is with the english language.  The ending of a sentence is a period (lets keep it simple and forget ! and ?). When someone reads a period the next word begins a new sentence.  In programming it is the same. If someone gave me a document that had some sentences such as I like computers.  Computers are awesome. I am getting a new computer. Well an example of injection is if I took that sentence and injected my own statement. So it would read something like I like computers.  Computers are awesome. I hate you. I am getting a new computer. Now this document is way different.  Next I will make this example a little closer to injection actually used in programs….but this is the gist of it.

So now lets move this to a more programming side.  Lets use a variable called $USERINPUT. This variable will be replaced with whatever text you put into the prompt (use your imagination). Now our new sentence will look like this. I like computers.  Computers are awesome. I am getting a new $USERINPUT. Lets say for the sake of argument when it asks you to type in a word you type Television. So when it outputs the sentence it will come to you as I like computers.  Computers are awesome. I am getting a new Television. Hmmm.. So if you think about that it means that anything you type when it asks for $USERINPUT will go in that spot, however lets say for the sake of argument again that it will not accept broken or sentences that do not end with a period.  So the next time it asks for $USERINPUT I type in this “Television. I need $2,000,000 dollars sent to 555 street ave fort myers fl” notice I added the period after Television but not after fort myers fl.  This is because there is already a period in the sentence lets input it. I like computers.  Computers are awesome. I am getting a new Television. I need $2,000,000 dollars sent to 555 street ave fort myers fl. That will in theory get you $2,000,000….ok not really but that is the idea.

Time For Some SQL

SQL?…Sea Quarks…Lies

So if you got this

This should be a fairly common thing you see.  Username and password and a submit button and such. This form lets you enter information, usually especially nowadays this is pretty secure, but in this example we are going to assume it is not secure and it does not validate your input. Here is the assumed code in the backend

$username=$_POST['username'];
$password=$_POST['password'];
$result="SELECT * FROM `users` WHERE username='".$username."' AND password='".$password."'";
$result2=mysql_query($result) or die("Wrong username and password");
$result3=mysql_fetch_array($result2);

As you can see the username is used straight from whatever is posted in the above form where you would enter your username and password. That is a security flaw.  Now let me say again this is old and probably secure on 99.9% of all websites and it is just an example. So lets look.  What is the last clause that is looks at?  password. that is the last part of the WHERE statement.  So if I type in the username John and the password Doe.  When the code is running it will look like this.

$username=$_POST['username'];
$password=$_POST['password'];
$result="SELECT * FROM `users` WHERE username='John' AND password='Doe'";
$result2=mysql_query($result) or die("Wrong username and password");
$result3=mysql_fetch_array($result2);

Do you see how the whole PHP variable “.$password.” was replaced with the info provided?
So what if we were to add our own code into it….hmmm what if I typed some thing like the username John and for the password something like blah’ ’1′=’1 well I wonder what that would do….lets insert it into the code. (also notice I didn’t add a ‘ at the end of the code blah’ ’1′=’1 remember the code already ends it with one so we are going to let it do that for us.

$username=$_POST['username'];
$password=$_POST['password'];
$result="SELECT * FROM `users` WHERE username='John' AND password='blah OR '1'='1'";
$result2=mysql_query($result) or die("Wrong username and password");
$result3=mysql_fetch_array($result2);

As you can see it is going to check the username Oh it found it John is the username.  Then it moves on to the password.  Is the password blah? no but its an OR statement so the password has to be blah or 1 has to equal 1 and it does.  So it says the password is not blah but 1 does equal 1 so you have access. Then it will drop you into the logged in portion of the site.  That is the basics to injection and SQL injection.  Have any questions? feel free to email me.

You mean where I keep my flag?

So I spoke to a man today who was pretty well versed in computers.  We got on the subject of hexadecimals and binary.  I found out he knows hexadecimal for colors and he understands them somewhat and he knows binary is the language computers use and can read them if need be. However here on Crystal Atatrium that is not good enough.  So per his request and some others that may want to understand more I will explain Bases and positional systems. More of a mathematical explanation but should be learned when learning computers.

2+2=11?

No, I am not just being funny, it really can

So I am by no means a math teacher, however it is one of my loves. Ok so most likely if your reading this you at least know base 10.  You probably have never heard it be called by that name before. Base-10 is the system mostly used it goes like this 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11….etc etc easy huh.  Now why is it called base 10 you ask? Well that would be another much longer answer and also one I am not too sure about.  However easier way to remember is if you include 0 there are 10 digits 0-9.  Now it is much easier to learn bases visually so here is base-10 counting to 10 and below it base-2 counting to 10 and finally lets go with base-3.

As you can see in base-2 you never write the number 2 instead you treat it like you would if you reached 9 on base 10. Same with Base-3.  Once you reach 3 you treat it as if you reached 10 in your everyday base of base-10. If you use the chart on the base-3 (third row) go to 2 and then add 2 too it by moving 2 places over.  You get 11! See I told you it can.

When are these used?

I just used them 2+2=11!!

Now computers use the simplest one of base 2.  It is simple because there are only 1's and 0's.  On or Off. Yes or No.  I could go on with these mundane opposites but i assume you get the point. If you wanna know more about that look up programming and compiling programs.  Another base used often is Base-16 aka Hexadecimal.  If you understand the above figuring out this will be a cinch.  so what single character do we use to represent 10, its A. so here is another chart.

Ok the first row is base-10.  Second row is base-16 (hexadecimal).  and the third row I will let you figure out. So you see how 11 in hexadecimal is 17 in base-10 aka decimal (Our everyday number system). Many times in computers people will use hex-editors to make changes to a program and just what the name says.  It opens it up in hex.  So you will see things like 44 72 61 63 6f 20 69 73 20 61 20 67 65 6e 69 75 73 Now still on the topic of computers.  Hexadecimal correlates to ASCII code.  For instance there are 255 ASCII codes.  This can be represented in hexadecimal as FF which is equal to 255 in decimal.  Now in a hex editor you will see each character represented by a hex-code which pertains to a decimal number which pertains to an ASCII character.  Confusing right? Well here is a small chart.  If you want another full one just type "ASCII CHART" into google.

Notice there are different codes for UPPERCASE and lowercase. Try and decode the message I wrote earlier.  Thank you for reading.  Remember I really simplified this to be easier to understand.  There are more detailed explanations if you so desire, just search for them.

If you do not know what social engineering is, read here . Put simply, it is hacking people.  Like most of the things on this site, this is about learning.  I do not recommend lying your way into a company. Also, on the topic of learning, if there is a word you do not know on here, I provided links so you can read about it.

So, back to the issue at hand here, a couple days ago, I got a call at my office to go on-site to a new company. They wanted me to come in and fix any problems that I could find on their computers.  I was happy because I like more hands on work anyways.  When I got to this company, there were security holes everywhere. I walked around for a bit and no one even asked me what I was doing or anything.  Finally, I walked up to the front desk and the woman sitting there asked me who I was. She did not even know that someone had called for a computer technician…..

What Now?

She didn’t know. She will probably call someone then, right? No.

She got up and asked me to look at her computer. She gave me the passwords for her everything….even email ( Though, I told her I didn’t need them but whatever.)  So after 5-10 minutes in this company, I had gained access to the network and too much information.  I let her know that her computer had some stuff on the startup and removed it and I moved on (also wrote it down for charging later).

The I.T. Department

Hackers beware…Oh, he isn’t an I.T. person

I finally found the “Head” IT guy for the company.  He was really just an employee that they gave the title to so they could say they have one.  I don’t think he knew much about computers…but probably more than the rest of the company which is fine because he probably hates it and doesn’t even really work on it. I understand his pain. I am not a car person so I wouldn’t want to be stuck with mechanic duties. I asked him where his router/switches for the company were and he led me to them…guess where to…

Secure Area?

In a barrier created by the 7 high wizards?

Wrong! The bathroom.  They were in the men’s bathroom to be precise.  This bathroom was a one man bathroom so the door could lock from the inside….yet another security flaw.  I was so confused how this idea came about because this isn’t the first time I have seen a server and/or switch and router in bathrooms.

What Now?

This place is easier than OR ’1=1

After giving him tips and such about how to secure these problems, I fixed his issue (someone was messing with his switch and a couple of wires were loose).  He didn’t pay me to secure the place but I let him know that he should get us out there to help him with that. Basically, the moral of this story is that we need to teach people about the value of security.  If someone is walking around the company that you don’t know and isn’t usually there… just stop them and ask them what they need. If that woman would have known to at least ask someone to confirm that they had actually called a computer technician, it would have been OK. Also, most techs should not ask you to just give them YOUR password, instead they will have you type it for them.  Also, switches and routers in a closed bathroom…….Need I say more about that. At least lock it up in there with a padlock (this place sold padlocks by the way).  It is amazing what you can get out of people with the “I am suppose to be here attitude” and a professional T-shirt.