I had a fascinating experience the other night while doing a security assessment for a friend, while scanning his network I came across a whole host of vulnerabilities on my own machine. For some context, I usually have a hotspot with me so as to keep my machine and the target network separate. (you just never know what’s on a target network) So I’m never on the actual network that I’m going after.

In this situation however, I didn’t have my hotspot with me and I felt that my friend wasn’t running anything malicious, Any-who, I connect to my friends network and being scanning with OpenVAS. My friends network is fairly clean, with the exception of the all the crap that’s wrong with my own machine.

Needless to say I was very shocked that my own machine had such glaring security holes. It got me thinking about a great deal the information I may be leaking while doing security assessments, Normally I have several forms of officiation running to help keep my profile low anyway and therefore never though about it much, so if my attack Mac is leaking this kind of info and making my scan profile a huge freaking target, all the obfuscation in the world wasn’t gonna help. In short, I had a bad Ops-sec policy. So I set out to update my Mac and make my machine secure.

First things first, those critical PHP errors, This was caused by two different things: the first being that my PHP version was out of date, (5.4.20).So time to update that.

Running the following command from terminal:

curl -s http://php-osx.liip.ch/install.sh | bash -s 5.6

made the upgrade process super smooth and easy, There is quick “how-to” that I was able to follow here.

The second issue I had was that I had two info.php pages littering up a few test subdirectories of /www/ a quick move to trash solved that critical issue I had and even cleaned the medium. I ran another scan with OpenVAS and this is what showed up:

A whole load of logs relating to information from my Mac that was leaking…so sadness. However, all was not lost, I decided to check my

System Preferences >> Security & Privacy >> Firewall

settings and see what what was up there. Low and behold I found that I had not be diligent about turning on stealth mode.

A quick check mark to Enable Stealth Mode and another scan in OpenVas, and “voila” I was presented this awesome bit of magic:

From a vulnerability scanner such as OpenVAS I was able to get my scan surface from bleeding all kinds of interesting information to neatly sew-up and not bleeding.

Full Disclosure: a quick scan with a tool such as NMAP will reveal certain information that you are trying to mask anyways, the point here is to make your scan surface smaller and less appealing to ankle bitters who are out for the lulz. Most of people like that will stop at a OpenVAS scan that reveals nothing, a determined hacker or nation-state will be more motivated and will find this information out anyway.

Two takeaways from this:

One, Always consider your Ops-Sec.

Two, Make your self less appealing and trim the low hanging fruit.

Share this: Tweet



