DLP expert Michael Swanagan reviews the best DLP software vendors on the market and provides his insights learned from over 15+ years…
The main difference between vulnerability assessments and penetration testing is that vulnerability assessments identify potential weaknesses in an organization’s IT infrastructure through high-level security scans. Penetration testing goes a step further by simulating real-world attacks to test the effectiveness of security measures and provide a more in-depth analysis of the organization’s security posture.
Credentialed scanning, using privileged credentials, provides in-depth vulnerability analysis and accurate results, assessing systems and…
Security Operation Centers (SOCs) provide real-time monitoring, detection, and response in order to mitigate or prevent cyber attacks when they occur.
You can fix the Log4j vulnerability by updating Log4j to the latest version (2.15.0 or later for CVE-2021-44228 and 2.16.0 or later for CVE-2021-45046) and applying temporary workarounds if immediate updating is not feasible.
You should also use the Java Security Manager, restrict external configuration, maintain regular updates for dependencies, and actively monitor logs and network traffic for any indications of suspicious activity using intrusion detection systems and security information and event management tools.
This powerful logging tool, despite its popularity, has been found to harbor severe security flaws that put countless systems at risk.
The impact of the Log4j vulnerability, known as CVE-2021-44228 or Log4Shell, has been substantial and continues to pose a significant threat due to many unpatched systems.
Within the first 24 hours of the outbreak, security sensors recorded almost 200,000 attack attempts worldwide.
In this article, we’ll explain how Log4j’s security problems work.
We’ll also give helpful tips on how to protect your applications from these threats while still enjoying the benefits of this useful logging tool.
Get a step ahead of your cybersecurity goals with our comprehensive templates.
The Log4j vulnerability works by exploiting a feature within Log4j that allows log messages to include JNDI references.
Attackers craft malicious log messages containing a JNDI reference pointing to an attacker-controlled server.
When a vulnerable Log4j version processes these messages, it unwittingly triggers a remote code execution by fetching and executing malicious code hosted on the attacker’s server.
This exploit grants the attacker unauthorized access and control over the affected systems, posing a significant security risk.
The impact of this vulnerability is widespread, as Log4j is commonly used in various applications and platforms.
Due to its severity, organizations must urgently update their Log4j libraries to a patched version, implement workarounds, or apply additional security measures to mitigate the risk.
Log4j 1.x has reached its end of life, and it is no longer receiving updates or security patches.
As a result, it is highly recommended to upgrade to Log4j 2.x to ensure your applications remain secure and up-to-date.
Log4j 2.x has introduced several security enhancements, including improved handling of user input and support for various security frameworks.
These improvements are essential for mitigating potential vulnerabilities and protecting your applications.
Log4j 2.x now handles user input more securely through Lookups. Lookups are used to evaluate expressions within log messages, potentially exposing sensitive data if not properly managed. Log4j 2.x disables Lookups by default, significantly reducing potential security risks.
Log4j 2.x provides seamless integration with the Java Security Manager, enabling granular control over the actions that can be performed by the logging library. This integration helps prevent unauthorized access to system resources and ensures the integrity of your applications.
Scanning for Log4j vulnerabilities involves several steps to ensure comprehensive detection across your systems and applications.
Here are the key steps to follow:
There are several scanning tools and methods available to detect the Log4j vulnerability in your systems and applications.
Some of these tools include:
Nmap is a widely used, open-source network scanning tool that can help identify vulnerable systems by probing open ports and services.
Nmap scripts (NSE) specific to Log4j vulnerability detection have been developed, such as log4j2-scan and log4shell.
Nessus is a popular vulnerability scanner that can detect the Log4j vulnerability using its regularly updated plugin library.
Ensure that you have the latest plugins to scan for Log4j-related issues.
Qualys offers a cloud-based vulnerability management platform that can scan your network, systems, and applications for Log4j vulnerabilities.
It provides detailed reports and remediation guidance to address the issue.
Rapid7’s vulnerability management solutions, InsightVM and Nexpose, can scan your infrastructure for Log4j vulnerabilities.
They offer real-time vulnerability data and prioritization to help you remediate the issue effectively.
OpenVAS is an open-source vulnerability scanner that can detect Log4j vulnerabilities with its up-to-date plugin feeds.
As a part of the Greenbone Vulnerability Management suite, it offers comprehensive vulnerability scanning and reporting capabilities.
In addition to these scanning tools, it is also essential to regularly review logs, employ intrusion detection systems, and monitor network traffic for any signs of Log4j exploitation.
The most effective mitigation strategy is to update the Log4j library to the latest version.
The Apache Software Foundation has released patches addressing the vulnerability:
If updating Log4j is not immediately feasible, temporary workarounds can be implemented, such as:
Integrate the Java Security Manager with your applications to enforce strict security policies. This prevents unauthorized actions and ensures a secure environment for your applications.
Log4j 2.x allows for external configuration through various means, including XML, JSON, and YAML files. Limit external configuration to trusted sources and validate any configuration files before applying them to your applications.
Keep your Log4j and other dependencies up-to-date to ensure that you are using the latest security patches and enhancements. Regular updates help mitigate vulnerabilities and protect your applications from potential threats.
Regularly monitor logs and network traffic to detect any signs of exploitation. Utilize intrusion detection systems (IDS) and security information and event management (SIEM) tools for real-time threat detection.
To find Log4j on Windows systems, you can use the following methods:
dir /s /b log4j*.jar
This command searches for Log4j JAR files in the current directory and all its subdirectories, displaying the results with the full path.
Get-ChildItem -Path . -Recurse -Filter “log4j*.jar” -File | Select-Object FullName
This command searches for Log4j JAR files in the current directory and all its subdirectories, displaying the results with the full path.
Remember to examine all Java applications and services, including third-party software and cloud services, as they might also contain Log4j dependencies.
To prevent future Log4j-related issues, you should consider the following strategies:
Log4j is an open-source Java-based logging library that has recently gained attention due to a critical vulnerability known as Log4Shell.
This flaw allows attackers to execute arbitrary code on vulnerable systems, leading to a wide range of cybersecurity issues, such as malware infections, denial-of-service attacks, and other exploits.
Think of Log4j as a digital lock that, unfortunately, can be picked by those with malicious intent.
The vulnerability affects Log4j versions 2.x up to 2.14.1. Update to Log4j 2.15.0 or later to mitigate the risk.
Upgrade to Log4j 2.15.0 or later, disable JNDI lookups, or apply a Java Agent that prevents malicious JNDI lookups.
Anyone using the affected versions of the Log4j library is at risk, including small businesses, large enterprises, and even individuals. Windows, Linux, and macOS systems can all be affected.
This vulnerability is considered a “zero-day” exploit, meaning it was unknown until it was publicly disclosed, leaving many systems exposed to potential attacks.
It’s like discovering your house keys have been secretly copied and distributed to burglars.
Anyone using the affected versions of the Log4j library is at risk, including small businesses, large enterprises, and even individuals. Windows, Linux, and macOS systems can all be affected.
This vulnerability is considered a “zero-day” exploit, meaning it was unknown until it was publicly disclosed, leaving many systems exposed to potential attacks.
It’s like discovering your house keys have been secretly copied and distributed to burglars.
Yes, Log4j 2.x provides a flexible API that allows you to integrate with other popular logging frameworks, such as SLF4J, Apache Commons Logging, and java.util.logging.
Some popular alternatives to Log4j include Logback, SLF4J, and java.util.logging. These logging frameworks offer various features and capabilities, so it is essential to evaluate which one best suits you.
Cloud services and platforms may be at risk if they use vulnerable versions of Log4j. Many cloud providers have already taken steps to address the vulnerability, but it is essential to verify the status of your specific services and implement necessary updates or workarounds.
While the vulnerability primarily impacts Java-based applications, non-Java applications that use the Log4j library through third-party integrations may also be affected. It is crucial to assess all components of your software stack for potential exposure.
Article by
There are three main types of security controls including technical, administrative, and physical. Most controls in cybersecurity…
The role of a virtual CISO is to be the ultimate security advisor for businesses, providing specialized advice regarding policy…
You can expect to pay $1,600 to $20,000 per month (retainer), $200 to $250 per hour, or $8,000 to $10,000 for a one-time project…
In this article, we’ll explore the importance of virtual CISOs, their roles and responsibilities, and the top 10 benefits they offer.
A virtual Chief Information Security Officer (vCISO) is an executive level security professional hired to guide the planning…
The year 2022 saw its fair share of significant vulnerabilities that made headlines and affected a wide range of systems and devices. These vulnerabilities impacted a wide range of systems and devices, including web servers, collaboration platforms, office software, and network devices.
Red teams are offensive security professionals who are experts in attacking systems and breaking into defenses. Blue teams are…
A firewall is one of the first lines of defense in preventing cyber attacks.
Naturally, this presents an opportunity for…
Wireless penetration testing is comprised of six main steps including:
These tests are performed primarily to maintain secure software code development throughout its lifecycle.
Coding mistakes, specific requirements, or lack of knowledge in cyber attack vectors are the main purpose of performing this type of penetration test.
What should a penetration test report include? Download our sample report to learn.
The term WiFi refers to wireless network technology that uses radio waves to establish wireless network connections.
Due to the nature of WiFi and its methods for providing network access, malicious hackers often choose to penetrate a company by compromising its WiFi network and corresponding infrastructure devices.
Homes are also at risk, especially due to the rise of IoT connected devices and appliances.
In this article, we will focus our efforts on WiFi penetration testing steps, methods and most popular tools used in the WiFi penetration testing process.
Wireless penetration testing involves identifying and examining the connections between all devices connected to the business’s WiFi.
These devices include laptops, tablets, smartphones, and any other internet of things (IoT) devices.
Wireless penetration tests are typically performed on the client’s site as the pen tester needs to be in range of the wireless signal to access it.
Every official penetration test should primarily focus on the vulnerabilities most easily exploited.
This is often referred to as going for the “low-hanging fruit” as these identified vulnerabilities represent the highest risk and are most easily exploitable.
In the case of WiFi networks, these vulnerabilities are most often found in WiFI access points.
A common reason for this is due to insufficient Network Access Controls and due to the lack of MAC filtering.
If these security controls are not used to effectively increase the security of a WiFi network, malicious hackers gain a significant advantage over the company and can use various techniques and WiFi hacking tools to gain unauthorized access in the network.
As previously stated, we will focus on the methodology and steps for testing the WiFi network and give examples of certain attacks and tools that will accomplish our goal.
Below is a list of steps that can be sorted in 6 different areas of the penetration test.
Before jumping straight into hacking, the first step in every penetration testing process is the information gathering phase.
Due to the nature of WiFi, the information you gather is going to occur via War Driving. This is an information gathering method that includes driving around a premise to sniff out WiFi signals.
To do this you will require the following equipment:
Most of the information you gather here will be useful but encrypted as most if not all companies use the latest WiFi protocol: WPA2.
This WiFi protocol protects the access point by utilizing encryption and uses EAPOL authentication.
Skip the policy-writing hassle with our ready-to-use penetration testing policy template.
The next step in WiFi penetration testing is scanning or identifying wireless networks.
Prior to this phase, you must set your wireless card in “monitor” mode in order to enable packet capture and specify your wlan interface.
After your wireless card starts listening to wireless traffic, you can start the scanning process with airodump in order to scan traffic on different channels.
An important step in decreasing your workload during the scanning process is to force the airodump to capture traffic only on a specific channel.
After finding wifi access points through scanning, the next phase of the test will focus on identifying vulnerabilities in that access point.
The most common vulnerability is in the 4-way handshake process where an encrypted key is exchanged via between the WiFi access point and the authenticating client.
When a user tries to authenticate to a WiFi access point, a pre-shared key is generated and transmitted.
During the key transmission, a malicious hacker can sniff out the key and brute force it offline to try and extract the password.
To clarify this most commonly exploited vulnerability, the next section of the article will focus on the pre-shared key sniffing attack and tools used to accomplish the task.
We will use the Airplay NG suite tool to accomplish our exploitation efforts by:
Since we already started capturing the traffic on a specific channel, we will now proceed with the next step.
Since we want to capture the 4-way handshake that occurs when every client authenticates to an access point, we must try and de-authenticate a legitimate client that is already connected.
By doing this, we are effectively disconnecting the legitimate client from the access point and waiting for our previous Airodump -ng commands that we ran, to sniff out the 4-way handshake once the legitimate client starts reconnecting automatically.
During the process of capturing traffic after the “de-auth” packets you’ve sent, you will be able to see lots of live information regarding the “de-auth” attack running.
We can see the channel number, time elapsed, BSSID (MAC address), number of beacons and a lot more information.
The time it takes to successfully perform this depends on the distance between the hacker, the access point and the client we are trying to disconnect.
Once the 4-way handshake has been captured, you can save the capture to a “.cap” file.
By saving all of this captured traffic into a “.cap” file, we can quickly input the file in Wireshark – a popular network protocol analyzer tool to confirm that we have indeed captured all 4 stages of the handshake.
Since we have now confirmed the 4-way handshake packet capture, we can go ahead and stop the packet capturing by typing the following airodump command: “Airmon-ng stop wlan0mon”.
Our final step in the exploitation phase is to crack the captured 4-way handshake key and extract the password.
To do this, we do not even have to use additional password-cracking tools such as JohntheRipper or Hydra.
We can simply use the Aircrack-ng module of the aireplay-ng suite.
Additionally, you must identify the dictionary you want to use for cracking the key by specifying the file path after the “dump-01.cap” part of the above command.
This command will run the cracking process on the target MAC address of the access point utilizing the captured traffic in the .cap file and a specified dictionary.
As a result, we successfully found the password phrase “community.
Since capturing keys from the 4-way handshake and brute forcing it offline is one of the most effective ways to gain unauthorized access, we emphasized this one practical attack.
Other practical attacks on wireless networks include the deployment of a rogue access point within the company.
This attack leverages the use of an unauthorized WiFi access point deployed inside the company buildings.
The main idea is to overpower the signals of a legitimate access point in the company’s network (or use WiFi signal jammers to render the authorized access point inaccessible) and force the employees to connect to the unauthorized access point.
If this runs successfully, an attacker will have control over all the traffic that is passing through that access point.
Structuring all of your steps, methods, and findings into a comprehensive document is the most important step in the work of a penetration tester.
It is highly suggested to document every step of your work, including every detailed finding, so you can have all the necessary details to make your report complete.
Make sure to include an executive summary, detailed technical risks, vulnerabilities you found along with the complete process of how you found them, exploits that were successful, and recommendations for mitigation.
Defy your attackers with Defiance XDR™, a fully managed security solution delivered in one affordable subscription plan.
We’ve demonstrated one practical exploit regarding Wireless networks that involves capturing WiFi traffic and the pre-shared key.
The attack was successful for many reasons including the lack of MAC filtering controls.
With this control turned on, the malicious hacker wouldn’t have been able to authenticate himself with the same password the legitimate user did.
Since anything can be hacked, the attacker would have to spoof his MAC address which is on the MAC list of approved addresses in order to successfully break into the wireless network.
Having Network Access Control (NAC) solutions in place will mitigate the possibility of having rouge access points in your network.
Additionally, the company may consider deploying wireless honeypots – simulated wireless networks that are used for detecting intrusions and analyzing the behavior of malicious hackers.
Wireless networks need just as much security consideration when being deployed and configured to keep them secure.
Wireless penetration testing is therefore a popular way to determine the realistic security posture of your wireless networks.
Even though it requires a bit more hardware equipment than your usual penetration test, wireless penetration testing is still performed with software tools often present in the Kali Linux OS with the industry’s most infamous tool for it being Airplay -NG.
We demonstrated a practical way of utilizing Airplay -NG and the results it can give with its powerful set of sub-tools.
All that is left for you to do now is try it out on your own (make sure you have consent for whatever and however small of a test you plan to do) and mitigate those vulnerabilities!
Article by
