Flash movie analyzers

Here is an online tool that perform an analysis of a Flash movie, this is very interesting for analyzing potential malware movies:

Adopstools

Another tool is the WepaWet, this one handles Flash and Javascripts files:

http://wepawet.iseclab.org/

Here we can find some interesting tools like the SWFdump and SWFstrings:

Swftools.org

Also here is an interesting post, on analyzing Flash:

Pentphase.de

Thanks to Vicente for the links

Enjoy

-CMM

Secure deleting a Macbook (pro) with OSX

Yesterday i was preparing my old Macbook Pro for selling, and after doing a backup i wanted to do a secure delete of all the hard disk content. So i started to search for a software or a solution (before using a live CD) and i found that the OSX include the option to do a secure delete in the "disk utility", best of all is that the cupertino boys have 3 different kinds of secure delete, with different levels of security, to prevent the file recovery.

Zero Out Data:

This method writes zeros over all of the data on the drive. This provide a decent level of file security,there are forensics utilities that in theory could retrieve some data however they are extremely expensive and time consuming and there are no documented cases of this actually taking place.

7 pass erase:

This method will write data over the disk seven times, and will take 7 times longer than Zero Out Data. This method is compliant with the D0D 5220.22-M specification, meaning that it is virtually impossible to retrieve the information.

35 pass erase:

If you are paranoid or you really need to protect some files, you can use this method that writes the entire disk 35 times... It is said that this method is really impossible to recover. Also this option will take ages to finish.

Well after checking the options, i went with the 7 pass erase method, and for a 150GB partition it took 7 hours to complete, now i had to do the same for the 100GB partition :(

Reference: http://danbenjamin.com/articles/2008/05/secure-erase-osx
-CMM

25C3 Chaos Communication Congress videos

The 25C3 is finishing and the videos of the presentations are available here:

http://81.163.130.141/streamdump/

Enjoy

-CMM

Usename check!

After the presentation i gave at IV Spanish OWASP meeting, many people asked me about the website that checks if a username is registered at different websites (Social networks, web 2.0, etc).

The website that i use is: http://www.usernamecheck.com/

It has more than 70 sites for checking, this is very interesting when doing information gathering, or forensics investigations.

Next post i will show how can this site will help us.

Enjoy

-CMM

Netifera - Network security Analysis

A new framework is being cooked at Netifera.com, it is coded over Eclipse framework, so the application will be able to run in all platforms, right now there is only two packages Linux and OsX.

A description taken from their website:

"At netifera we are building a next generation platform for network security analysis.

Our architecture is a radically innovative approach to managing high volumes of network information.

Our free and open source platform provides the framework for creating and integrating security tools with a flexibility that has never been possible before."

The team is made of people who has worked in CORE, Sebastian Muñiz and Luciano Notarfrancesco, were the ones that presented the tool at XCON in china.

You can download the beta and get more information HERE

-CMM

Blackhat Japan 2008 Presentations

The presentations and the audio files are available to download,

You can get them HERE

Enjoy

-CMM

Malware Hash registry

Team Cymru has launched a look-up service that allows you to query their database of many millions of unique malware samples for a MD5 or SHA-1 hash of a file.

The service is free for non-commercial use.

The results of the query, will output the date the sample was first seen, and the detection rate of 30 AV engines.

Also you can cross check with the www.virustotal.com engine hash check option

More information HERE

-CMM

Metasploit Decloak V2

The Metasploit project, has released a tool that demonstrate a system for identifying the real IP address of a web user, regardless of proxy settings, using a combination of client-side technologies and custom services. No vulnerabilities are exploited by this tool. A properly configured Tor setup should not result in any identifying information being exposed. 

It's an interesting tool, to check if your proxy configuration is really anonymizing your connections, or if you are under a false anonymity.

You can check your proxy anonymity here:  Metasploit decloak

-CMM

Oracle Forensics

Hi, this time i will post a brief entry about Oracle Forensics, when we talk about Oracle Forensics we are talking about David Litchfield, he researched and developed tools for analyzing Oracle from the forensic point of view.

Next Thursday he will participate in a Black Hat Webinar, where he specifically will talk about  Orablock:

"The tool, orablock, allows a forensic investigator to dump data from a "cold" Oracle data file - i.e. there's no need to load up the data file in the database which would cause the data file to be modified, so using orablock preserves the evidence. "

You can register here.

Also he will publish a book about Oracle Forensics very soon, you can pre order it at amazon, the book is called "Oracle Forensics Using Quisix"

And if you want to check all his presentations and papers about the issue you can  go here.

There are few persons working in this field, and besides Litchfield we can refer to Paul M. Wright, author of the first Oracle Forensic Book, you can check his blog here.

Enjoy!

-CMM

Panda Security advertisement

This is an unusual post but it is very funny, and is related with security:

The guys from Panda Security made a great advertisement with a concept very far from the information security but very funny and effective, at least the main idea is very well transmitted.




-CMM

Python Regexp tester

When you are coding in python and need to use a regular expression, i always end up firing up a python interpreter and trying the regexp on the fly, now i discovered www.pythonregex.com , a web application created over Google App Engine that allows you to try regular expressions without having to code a line, you just need to write the regexp and put the string or text where do you want to apply it.


Give a try here

-CMM

Jsky - a free Web Application Scanner

A new free Web application Scanner is out, from the same author of Pangolin (a good SQL Injection tool). The scanner looks pretty solid and complete for an alpha version; the list of checks is the following:

• SQL Injection
• XSS
• Unsecure object using
• Local path disclosure
• Unsecure directory permissions
• Server vulnerabilities like buffer overflow and configure error
• Possible sensitive directories and files scan
• Backup files scan
• Source code disclosure
• Command Execute
• File Include
• Web backdoor
• Sensitive information
• And so much more......

It also claims  that also exploits the vulnerabilities, but i didn't try that option yet.

Here is a screenshot of the tool in action:

You can download it from here

-CMM

Shellcode2Exe

Here is a tool that could be handy when you stumble with a shellcode, and you want to create a binary to analyze with a debugger:

Shellcode2Exe

Just paste the shellcode and click submit, right now supports 3 types of shellcode:

1) %u urlencoded IE shellcode payloads
2) \x style C strings
3) raw hex strings with no spaces ex. 9090EB15

It's based on a tool that you can find in the Malcode Analyzing Pack from Idefense

Thanks Vicente for the tip

-CMM

Windows Prefetcher and forensic analysis

When doing Forensic analysis, many times you need to find if a user had run a binary on the analyzed system, there are some places where we can obtain information about application run s like entries in the "RunMRU" registry location (HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ RunMRU), but today i will talk about the Prefetcher files.

The Prefetcher:

"It is a component of the Memory manager that speeds up the Windows boot process, and shortens the amount of time it takes to start up programs."

"Windows XP monitors the files that are used when the computer starts and when you start applications. By monitoring these files, Windows XP can prefetch them. Prefetching data is the process whereby data that is expected to be requested is read ahead into the cache. Prefetching boot files and applications decreases the time needed to start Windows XP and start applications."

This feature was introduced with XP, and it's available in VISTA.

In short when you launch an application windows will create .pf file in the prefetch directory (%SYSTEMROOT%\Prefetch\), this file will contain information to speed up future application startups.

This file contains different information about the application, but at the end of the file we can find the path of the file image.

The name of the file is FILE-HASH.pf, the HASH is calculated with the path of the file image, so if the same binary is run from two different location, we will have two different prefetch files.

So now you can find if an application was run on the Windows system and you can have the MAC times of the prefetch file and the image file to add to the timeline analysis, also there is a counter of how many times the application was used.  (You can use Windows File Analyzer to get all this information)

This could be helpful when analyzing Malware on infected machines, the malware maybe is deleted but the prefetch entry is still available, or to find the executable of the malware analyzing all the prefetch files.

Maybe you are wondering how many files Windows will save? It's supposed to maintain 128 entries, any entry over 128 will be flushed, most frequently used applications will be preserved.

Do you know more places to find information about applications runs?

More info on Prefetch

A tool for analyzing Prefetch directory: Windows File Analyzer

-CMM

Explico - Network forensics

A great new tool for analyzing network traffic has been released, as stated in the Xplico web site:

"Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic Analisys Tool (NFAT)."

The goal of Xplico is extract from an internet traffic capture the applications data contained.
For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), and so on. Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic Analisys Tool (NFAT).

Website and more info: http://www.xplico.org/about

-CMM

Incident Handling Cheatsheets

The guys at ISC SANS (Internet Storm Center) has released two Incident Handling Cheatsheets, these will be useful for people that got hacked, infected by malware, system administrators, etc. 

The first one is "Security Incident Survey Cheat Sheet for Server Administrators", it captures tips for examining a suspect machine.

The other is a questionnaire for responders, it collects the most important questions an incident handler should ask when taking control of the incident, or getting in contact with the problem.

Security Incident Survey Cheat Sheet

Questionnaire for responders

More information here

IV OWASP SPAIN presentation

Last friday i did a presentation about new ways to get information from a target person or company, the title was "A Fresh new look into Information Gathering".

The room was full, even my talk started at 19:15, after 3 other talks, that's was very cool because it means that the people was interested in the topic.

It's curious how there are a lot of people not aware of this issue (Information Gathering, information leak, etc), but at least i felt good about doing some awareness.

You can get the presentation here

-CMM

Nessus - Alternative Feeds

The people at Alienvault.com, has released an alternative Nessus feeds, they have 3058 plugins in the feed, and the most interesting feature is that they provide a lot of SCADA servers plugins, this is interesting since the only plugins available for SCADA were paid.

So if you want to use this plugins, go to this page

The plugins also work on OpenVAS

Do you know any other free feed?

Enjoy

-CMM

Desktop setup - Unity power

After trying different setups and OS, i'm actually working with two different setups, my work computer a lame Fujitsu Siemens 15" wide with Core 2 Duo 2.4Ghz and 2GB of Ram, this machine runs a Windows Vista SP1, it's really fast in this machine and i'm pretty happy with it; and my other computer is my personal laptop a Macbook Pro 15" Core Duo 2.0Ghz and 2GB Ram, really is the best computer i owned, it's a pleasure to use this computer and i enjoy a lot the OSX.

First i want to make clear why i use Windows Vista instead of Linux? Well because i'm working a lot with Office Documents, and i couldn't find a good solution on Linux (i tried almost everything), also the different problems i have with Linux that are time consuming to fix (Multiple screens, is a difficult task for a linux, i don't know why they do not create a easy config tool like Windows)

So where is Linux? i run linux on both machines in a Vmware machine, in the Fujitsu Machine is blazing fast, so fast that i had to try it native and compare, and to my perception it was faster in the Virtual Machine, not so sure why, but is good for me :)

And in my personal computer linux runs in Vmware Fusion, a great piece of software. You might be wondering, "it's the same as the others vmwares out there", well NO, it has a feature called Unity, that allows you to run the Guest operative applications, on the HOST desktop, as if they were a native application, i talked of a feature like this in Parallels called Coherence, both Vmware and Parallels supported Windows Guest system for this feature, but recently Vmware Fusion added support to Linux guest systems.

Here is my OSX desktop, running my Ubuntu linux applications (the ones with black windows):

You can see the ProxyStrike running on OSX and Linux, and a Ubuntu Terminal and a OSX Terminal, also a Ubuntu file manager windows.

For OSX to be perfect, i would like to have windows management options like WMII, not all of them, but basic ones, like WinSplit Revolution on Windows.

(After writing this post I found a way of doing some of the tricks, but you have to use AppleScript and Quicksilver, i will post later a customized version)

In future post i will show the software i usually use on both machines for my pentesting tasks and for productivity also..

What is your desktop setup?

-CMM

WebSlayer at Pauldotcom podcast

Last week Matt Tesauro from OWASP, pointed me that "WebSlayer" was reviewed in the show "PaulDotCom" a Security weekly podcast.


The MP3 of the show can be downloaded here

Also you can find the episode notes here


I recommend this podcast, is very interesting and they talk a lot about penetration testing topics, really useful and very entertainment.

They liked the tool, so it's a good signal and good feedback.

I'm waiting for the next episode :)

-CMM

Clickjacking Demo

A lot of buzz were flowing on the net the last few months , about a new type of vulnerability known as "ClickJacking" or "Ui redressing". The vulnerability is a variant of Cross Site Request Forgery (CSRF). The idea is simple, here is an explanation found in www.webmonkey.com:

"The basic idea is that an attacker loads the content of an external site into the site you’re visiting, sets the external content to be invisible and then overlays the page you’re looking at. When you click a link you see on the current page, you are in fact clicking on the externally loaded page and about to load pretty much whatever the attacker wants."

Well it seems pretty easy and clear, but if you want to see an attack in action, you have to check this GUYA.NET, where an attacker controls the camera of the victim, through a ClickJacking attack.

Some of you might be wondering how can you protect against it? The last version of NoScript (a Firefox Plugin that provides protection against XSS) adds protection to ClickJacking.

Be careful where you click ;)

CMM-

Memoryze - Memory forensic tool

Jamie Butler presented at HITB 2008 the tool Memoryze, intended to aid incident responders find evil in live memory.  

"Memoryze can acquire and/or analyze memory images, and on live systems can include the paging file in its analysis."

Memoryze site

Here are some Use cases

-CMM

OWASP EU SUMMIT is over

Wow what a great event, i returned from Algarve, Portugal the saturday morning. I met a lot of interesting people, and i had a very good times.

Thursday morning, i gave my presentation about WebSlayer, i started 4 talks before schedule, so they catch me a little off guard. Everything went smooth after i managed to make the microphone works :P

There were 2 other guys from Argentina, Arturo "Buanzo" Busleiman a very well known security expert, and Fabio Cerrullo a great person.

The place was very beautiful, but i hadn't enough time to visit the city, we were working from 8:00hs to 20:00hs , really very exhausting, but was fruitful.

Giorgio Fedon pulled a good working group about Web Malware, the idea was to start working in a document to splash the different kind of web attacks the malware use, and how a company can protect from them.

The thursday night the OWASP Band played some great tunes, it was incredible how good they were, taking into account that they never played together!

Seven committees were created to face different projects and issues, this is very interesting because a layer of middle management was needed, to handle all the heavy work and organization.

Regards to everyone that made this possible, in special Paulo Coimbra and Dinis Cruz, because without their effort this wouldn't happened.

The full results of the summit will be captured and released as a report from OWASP in the next few weeks.

Now there is a lot of work to do :)

-CMM

Kiosk hacking

Have you ever found yourself trapped in a internet Kiosk? those machine with customized software (most of them with windows) that only allows you to browse the net, print and maybe save a file in a thumbrive? I always had my kiosk cheatsheet, but now Paul Craig had released I-KAT, a website that pretend to hack a kiosk in under 120 seconds. I read his presentation at HITB and i really liked some of his tricks, really he found lots of security bypasses on the most used kiosks around the world.

Some of the tricks:

Invoking a command line, without executing cmd.exe:

-command.com
-loadfix.com start.exe
-win.com
-start loadfix.com cmd.exe
-%COMPSEC%
-sc create testsvc binpath "cmd /K start" type= own type interact

There a many combinations of these and he found 17 cmd.exe detours.

Another cool trick is embedding a cmd.exe inside an Office document (doc,docx, xls, xlsb, xlsm, xlsx), and then when you open the file the "Open package Contents" will popup.

Most of the bypasses are because the use of Black lists, the people still doesn't get it that black lists are dangerous...

I recommend to check the Ikat site and Paul Craig presentation to get all the tricks:

HITB presentation
I-KAT website
Portable tool

-CMM

Defcon 16 videos and HITB 2008 presentations

The presentations from HITB are ready for download, there is very good quality material. There are two presentations about OSX security, one from Dino Dai Zovi about exploiting OSX and another from the Gruqq about Antiforensics on OSX, check it here:

http://conference.hitb.org/hitbsecconf2008kl/materials/

And here are some Defcon 16 videos:

Brenno De Winter - Ticket to Trouble

http://media.defcon.org/dc-16/video/dc16_dewinter_tickettotrouble/dc16_dewinter_tickettotrouble_full.mov

http://media.defcon.org/dc-16/video/dc16_dewinter_tickettotrouble/dc16_dewinter_tickettotrouble.m4v

Dan Kaminsky - DNS Goodness

http://media.defcon.org/dc-16/video/dc16_kaminsky/dc16_kaminsky_cache_full.mov

http://media.defcon.org/dc-16/video/dc16_kaminsky/dc16_kaminsky_cache.m4v

Anton Kapela and Alex Pilosov - Stealing the Internet

http://media.defcon.org/dc-16/video/dc16_kapela-pilosov_stealing/dc16_kapela-pilosov_full.mov

http://media.defcon.org/dc-16/video/dc16_kapela-pilosov_stealing/dc16_kapela-pilosov.m4v

Mike Perry - 365 Day: Active HTTPS Cookie Hijacking

http://media.defcon.org/dc-16/video/dc16_perry_TOR/dc16_perrry_TOR_full.mov

http://media.defcon.org/dc-16/video/dc16_perry_TOR/dc16_perrry_TOR.m4v

More videos to come in the next months

CMM-

WebSlayer released

Hi all, i'm please to announce the release of WebSlayer, the web application brute forcer.

Im working on the presentation for the Owasp EU Summit 2008, and i created the WebSlayer project site at OWASP. 

The first version released is only for windows, but the source for Linux and OS X will be ready this week. Ubuntu 8.10 includes the python-qt4 version needed to run WebSlayer :)

Well now WebSlayer is officially an OWASP project :)

I hope you find it useful for your engagements

Stay tuned for the next release that will be packed of new features and improvements!

CMM-

OWASP European Summit 2008

With the theme ‘Setting the AppSec agenda for 2009′, the OWASP Summit will be a worldwide gathering of OWASP leaders and key industry players to present and discuss the latest OWASP tools, documentation projects, and web application security trends.

I will be participating in the summit presenting the project WebSlayer, the web application brute forcer. Here you can find the WebSlayer site at OWASP. Also i will participate in some working sessions about OWASP Top Ten 2009, Tools Projects, OWASP Certification and OWASP Live CD.

The summit will be held at Algarve Portugal, i never been there but it seems a beautiful place.

It will be a huge event, with a lot of interesting talks and sessions to attend, i hope to meet some interesting people to exchange ideas.

If you will be there and want to have a beer, drop me a line.

CMM-

EnDe - Complete web Encoder Decoder

Always in a web application analysis you end up looking for a fast way to convert/encode/decode/transform a string or a piece of text; there are a lot of online encoders/decoders but they are very specific, if you want a one stop with all you can need, enter EnDE. 

I came across EnDe in the OWASP Project page, it is described as:

"Encoder, Decoder, Converter, Transformer, Calculator, for various codings used in the wild wide web"

That's for sure, it has an extensive list of encoders, decoders, hashes, encryption, also you can transform dates, create regexp in different languages.

You can check EnDe in the OWASP page or in the tool website 

Enjoy

Cheat sheets

Here are some interesting cheat sheets that people posted in the Pentest mailing list:

Networking cheat sheets: 

• Protocols: Spanning Tree, Ipv6, Ipv5, OSPF, EIGRP, BGP
  
• Applications: Tcpdump, Wireshark
  
• Reference: Common ports, IP access lists, Subnetting
  
• Technologies: MPLS, QoS, Vlans, IOS version
  

Link PacketLife

Linux-Unix Command Line sheets:

The name says all.

Link Scottklarr

Miscellaneous:

Here are very good quality cheatsheets, this site used to be "IloveJackeDaniels".

• Regular expressions
  
• Subversion
  
• CSS
  
• PHP
  
• Mod_rewrite
  
• SQL SERVER
  
• HTML
  
• Ruby on rails
  
• ASP/VBScript
  
• Mysql
  
• Etc

Link AddedBytes

The rest:

A very big collection of many cheat sheets, you can find things like:

• Jquery
  
• JSP
  
• Java
  
• Firefox
  
• Coldfusion
  
• htacces
  
• Gimp
  
• Django
  
• mod_rewrite
  
• Mysql
  
• Oracle
  
• Perl
  
• Python
  
• Ruby
  
• Sendmail
  
• Solaris
  
• SSI
  
• Sybase
  
• UML
  
• Vim
  
• XML
  
• XSS
  
• etc.
  

Link Cheat-Sheets.org

Setting Vmware to trick Malware

Here are some configuration options for VMware that can be useful to thwart some malware

when they check for virtual machine presence. It's not going to fool all malware but

there are a lot that will fall.  So fire up your text editor and add this lines to your virtual machine VMX file:

isolation.tools.getPtrLocation.disable = "TRUE"

isolation.tools.setPtrLocation.disable = "TRUE"

isolation.tools.setVersion.disable = "TRUE"

isolation.tools.getVersion.disable = "TRUE"

monitor_control.disable_directexec = "TRUE"

monitor_control.disable_chksimd = "TRUE"

monitor_control.disable_ntreloc = "TRUE"

monitor_control.disable_selfmod = "TRUE"

monitor_control.disable_reloc = "TRUE"

monitor_control.disable_btinout = "TRUE"

monitor_control.disable_btmemspace = "TRUE"

monitor_control.disable_btpriv = "TRUE"

monitor_control.disable_btseg = "TRUE"

With this configuration you can trick most VM detections like RedPill, Scoopy checks and other techniques.

Becareful with this configuration because will break the communication channel, thus nullifying the VMtools.

This configuration was provided by Ed Skoudis and Tom Liston in their document "Thwarting Virtual Machine Detection"

If you have another trick please share it here :)

CMM

OWASP Spain Chapter Meeting

The next 21 of November i will be participating as speaker in the OWASP Spain Chapter Meeting, i will give a talk about Information Gathering, the key point of the presentation is to show new techniques on how you can gather interesting information about a target (individual or company) and how can you use it in a penetration test. I will talk about my tools, and some online sites that provide interesting information.

If you want to join us, remember the 21 of November, place IL3 - Institute for LifeLong Learning (Universitat de Barcelona)

Link: Owasp

Metagoofil in Toorcon

The last week Chris Gates from carnalOwnage gave a talk in Toorcon about Information Gathering called "New School Information Gathering" in his talk he speak about Metagoofil, and how you can use it on getting information from the metadata of public documents.

I liked the presentation, and i think that Chris did a good job putting everything together

If you want to get the presentation get it here: http://www.carnal0wnage.com/research/Carnal-NewSchool-ToorconX.pdf

CMM

Displaying Windows cached DNS entries

This is a super fast post, here is an interesting command for checking the cached DNS entries in a Windows system:

c:>ipconfig /displaydns

slashdot.org
----------------------------------------
Nombre de registro . : slashdot.org
Tipo de registro . . : 1
Período de vida . . . : 2117
Longitud de datos . . : 4
Sección . . . . . . . : respuesta
Un registro (host). . : 216.34.181.45


This could be useful when analyzing malware or doing forensic analysis

CMM

Yaptest - Automating Pentesting tasks

I was reading my rss feeds and i stumble across "Yaptest", a tool that aims to make it easy for a pentester to automate parts of testing on the fly. In the tool website the author gives some examples like:

• Run nikto on anything nmap thinks is an HTTP service
  
• Run hydra on every host with TCP port 21 open
  
• Attempt upload a file to any TFTP servers found
  
• Run onesixtyone on all hosts that are up
  
• Try metasploit's solaris_kcms_readfile exploit against any hosts running kcmsd

Im thinking right now in thousand of more uses.  I like this kind of tools oriented in the automation of tedious work,  boosting productivity and cutting time from assessment projects.

Now there is a Yaptest front end, and it look amazing:

The tools is developed in perl and the frontend in Ruby. I'm not too fan of perl, but i will give a try to the tool asap.

Link: Yaptest Overview

CMM

Ecrime - New mafias

This time my partner Vicente gave a great talk about the Cyber Mafias in the FIST Conference. Tha talk was an overview on how they operate, the money they manage, and some techniques they use.

It's a very interesting talk for everybody, because it's not a topic that you can find much information about..

The presentation is more interesting with Vicente's speech and comments, but you can download the presentation from the FIST Conference page, or from here Edge-Security site.

Enjoy

Metagoofil - Metadata Extractor Update

Hi all, long time from the last post. This time is a short post about a new updated version of the Metagoofil

The problem was that Google changed the source code of the results page, so the parser failed to catch the files. I guess that the structure of the HTML is changed often, to render useless the tools that use google in an automated way outside the API (all the tools right now).

Recently Roelof talked about the problems he had in Maltego using google as an input and core part of a tool, i want to confirm what he said, it's really a mess to maintain a tool that uses google as input :(

Enough for today.

Thanks to Chris Gates for pointing out the problem.

VAPWN - Web application Visualization - Crawler

Some time ago, we were working on a web application analyzer tool focused on the structure of the web application. We have a alpha version with a crawler and a proxy working. This is a proof of concept of visualization techniques in the security field:



You can view a video with an example of a crawling, different colors means different kind of files (dinamic, javascript, directory, hmtl, etc):

http://www.edge-security.com/vapwn-edge.mov

Hope you like, we are going the release this alpha version asap.

Enjoy!

Windows Vista - Easy hack

Hi, this time the people from Offensive-Security.com, bring us an example on how Windows Vista could be hacked in a very easy way, forget exploits, ASLR, DEP, etc.

Just boot with a live CD, move utilman.exe to utilman.old, and copy cmd.exe to utilman.exe.

Then in the login window, just press CTRL-U, and a console with administrative rights will pop up.

It's the same as the old Windows XP Sticky-keys trick.

Video here

Enjoy

PCI Requirement 666, sorry 6.6

After all the discussion around the PCI DSS requirement 6.6, on what were the real requirements, we can conclude that from June 30 (2008) there are two options for the web applications requirement:

1- Application Code review, that is subdivided in the following alternatives:

• Manual review of application source code
  
• Proper use of automated source code analyzer (scanning) tools
  
• Manual web application security vulnerability assessments
  
• Proper use of automated web application security vulnerability assessment (scanning)  tools.

2- Web application Firewall

I think that we should have both options implemented, there are not exclusive and implementing just the Manual web application as Code Review would not assure the security of the application, because maybe between the discovery of the vulnerabilities and the patching/correcting/solving phase will pass some time that the application will be exposed, also new vulnerabilities introduced after the Manual Web Application Assessment, will put in jeopardy the security of the application.

Another interesting point is the alternative 4 of the option 1 "Proper use of automated web application security vulnerability assessment tool", what is considered "Proper" ?   I imagine a lot of "tool monkeys" launching automatic scanners, printing the tool report and justifying requirement 6.6 for two pennies, and then you will have to explain to your customer why your service is more expensive than the other.... 

It's always the same :(

More to come on this issue,

Metagoofil 1.4 - Metadata exposed

Hi this time i will post a brief entry about the new version of Metagoofil released some

 days ago.

In this version (1.4) i added a new feature that will extract the MAC address from 

the office documents, yes you read right :)  the MAC ADDRESS. 

We can find this information inside the documents in a string like this:

_PID_ GUID ... {F96EB3B9-C9F1-11D2-95EB-0060089BB2DA}

The last 12 hex digits are your MAC!

So here we have another piece of information that can be used to track an user, and most of them 

don't know it's existence :(

The next version of Metagoofil it will possibly  map the MAC address to the vendor 

name, so we can have more information about a target company.

Download here: MetaGooFil

PhishMe - Phishing awareness

Via Dancho's blog i read a post about a company called PhishMe.com where they offer a service for creating Phishing campaigns to test the awareness level in the different areas of your company by creating targeted emails and websites.

It's not a bad idea, with this you can have a sense of how your company employees deal with phishing scams. What is curious is that interface seems like a real professional Phisher interface, at least it will give ideas to the Phishers on how to organize and present the data of the attacks launched to get an idea of the success rate of the campaign.

Check Phishme.com
Dancho's post

Information Security Workforce Study

(ISC)2 bring us the new study about the Information Security Workforce, here you can find a lot of information about our profession for compare your position in different countries, which positions are best paid, etc. As stated in the (ISC)2 website:

"... the Study reflects the opinions of the dynamic information security workforce. It is the largest study of its kind and provides detailed insight into important trends and opportunities within the information security profession. It aims to provide a clear understanding of pay scales, skills gaps, training requirements, corporate hiring practices, security budgets, career progression and corporate attitude toward information security that is of use to companies, hiring managers and information security professionals"

A very interesting reading: Download Study

Book - Zero Day Threat

I finished another book, this time i read "Zero Day Threat" a very interesting investigation about cybercrime, made by two journalist (Byron Acohido and Jon Swartz).

As stated in the cover they show us "The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity"

The book is very well narrated, i liked how they focused the history from 3 different point of view (The Exploiters, the Expediters and the Enablers). The authors made a fantastic job in the investigation and in the accuracy of the information given by the book.

It's a must for anyone who wants to know how the cybercrime is organized and the inner workings of these mafias. You could learn how they steal identities, credit cards, passwords, etc and how they transform all of these in money through laundering tricks.

After reading the book you get a feeling of being totally naked and vulnerable to the cybercrime mafias. I was aware of all the technological issues involving cybercrime, but now i'm aware of the other two pieces in this game and i get the full picture on how everything works.

You can check the site of the book for more information:




Prologue

Pages: 304

Mysql - SQL Injection

Hi, here are the steps needed to extract data from a Mysql Database through SQL Injection automation. This will be useful for penetration test, when you need to craft your own tool because the ones that are available fails...

Let's get to work, first we need to get the schemas (Databases):

"SELECT table_schema FROM information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema' limit 1,1"

Once we know which database we want to extract data, we proceed to list the tables:

"SELECT table_name FROM information_schema.tables where table_schema = 'MYSCHEMA' limit 1,1"

MYSCHEMA = obtained schema from query 1

Now that we have the tables, we will go for the columns:

"SELECT column_name FROM information_schema.columns WHERE table_schema ="MYSCHEMA" and table_name = 'MYTABLE' Limit 1,1"

MYTABLE = obtained from query 2

And after this process you know the Schema (Database), the tables and the columns, so you can create the query to extract the data you want or think it will be interesting for the penetration test.

Another interesting query for penetration testing, is the one that can create a bruteforce attack
to find which table has a column named X.

"SELECT table_name FROM information_schema.columns WHERE column_name like '%MYWORD%' limit 1,1"

MYWORD= a word taken from a dictionary


Now is all about of putting this together in a script for automation. You can check www.edge-security.com Pblind for a SQL Injector script, the next release will have this feature included.

If you have another idea, please let me know.

Regards

SQLZoo - Your one stop for SQL

How many times you were facing a SQL Injection and you have doubts or didn't remember how a query was made for a specific database? Or sometimes you don't want to start Vmware machine just to try a query, so you start googling for an answer. But there is a great website for this kind of needs called SQLzoo, here you can find a lot of examples for every type of query for the different database engines, and the best is that you can execute the queries and check if they are correct.

Another great resource is the reference section where you can find information on how to obtain Metadata and how to run queries about Functions, Selects and Users for all the different database engines.

Also there is SQL Injection area, where you can try some injections against a vulnerable system.

There are many more interesting things related to SQL in the site, check it here SQLzoo

Enjoy

Pwn to own

In CansecWest Conference they created a contest where there were three machines with 3 differents OS's. The one who managed to pwn one of them, will win money and the machine.

Well now the contest is over and the results are this:

1- MacBook Air running OSX 10.5.2 - Charlie Miller - Exploited a Safari bug
2- Fujitsu U810 running Vista Ultimate SP1 - Shane Macaulay (Security Objetives) -

Ubuntu standed strong in the contest and nobody managed to own it. The question is, someone went after the Ubuntu? or everybody concentrated their efforts on the more deployed OS's?

Now everyone will start saying that Linux is stronger than the others, but i don't think that one
contest like this could be used in the war of "Which OS is more secure?"

Also is interesting seeing how in a little time (48hs) when money is put in the game new vulnerabilities are founded.

Charlie in action:



More information here
Video of Charlie Miller after pwning OS X

RedIris Conference

Hi all, the thursday 27 i will be talking on the "VI Foro de Seguridad RedIris", the topic of this Forum will be Web Application security. My talk is about "Common application security vulnerabilities" aka "The Usual Suspects". I will make an overview of the most common vulnerabilities, based on the OWASP Top 10.

If you want to have a good time and learn more about Web Application Security this could be a good oportunity.

The conference program can be checked here

See you there!

MSRPC Auditing

Cody Pierce and Aaron Portnoy have released the Msrpc framework for auditing the Microsoft RPC protocol. The presented the tool in DeepSec 2007, it was a good presentation where they show us how they used to analyze RPC. Now the tools is available at Google Code.

pymsrpc is an attempt to develop a working library for communicating with remote Microsoft RPC endpoints. It includes an IDL parser and NDR data types for making requests.

The following toolset is recommended by them:

• PyMSRPC consists of the following components
• Lexer and Parse
• A library of NDR objects
• Utilizes Impacket from CORE for transport
• Tie-ins for the Sulley Fuzzing Framework

This framework allows you to immediately communicate and audit an RPC service.

Fuzzing - Brute force Vulnerability discover

This time i will talk about another great book. In this book Michael Sutton, Adam Greene and Pedram Amini expose everything you want to know about Fuzzing.

We can find a information about all the different types of Fuzzing: Network protocol Fuzzing, Web application Fuzzing, File format Fuzzing, in memory Fuzzing, etc. The book also cover the best fuzzing frameworks available like Spike, Peach, Sulley, and many more.

I enjoyed very much this book, it was easy to read and follow, very clear the concepts and well organized the contents.

If you want to learn all about Fuzzing, this is your book.

You can check the book web page: Fuzzing

See you soon!

Ajax security

Are you interested in learning about Ajax security? I did, so i got the book "Ajax Security" by Hoffman and Sullivan (2007, Addison Wesley, 470 pages), and it is really useful. The book is well organized, the explanations are very clear and the examples well chosen.

I learned a lot about Ajax and the security implications of this technology with this book, i highly recommend it.


Ajax Security, Addison Wesley

Check the content table

Metasploit 3.1

Well some time ago i posted about the Metasploit GUI, now the new version (3.1) has the GUI and the assistant polished, and the exploit number went up to 267!!

This project is growing and improving in every release :)

I downloaded the RC for windows and i liked a lot, here are some screenshots:













Wanna try the GUI in the new release?

https://metasploit.com/framework-3.1-rc1.exe
https://metasploit.com/framework-3.1-rc1.tar.gz

Enjoy :)

Portbunny - Port scanning improvement

A new port scanner has been released by the Recurity Labs guys (FX), it has some improvements over the well known scanners (Nmap). It's was developed for the security professionals, with performance in mind. As stated in Portbunny webpage:



"PortBunny is a Linux-kernel-based port-scanner created by Recurity Labs. Its aim is to provide a reliable and fast TCP-SYN-port-scanner which performs sophisticated timing based on the use of so called "trigger"-packets. The port-scan is performed in 2 steps: First the scanner tries to find packets, to which the target responds ("triggers"). Second, the actual port-scan is performed. During the scan, the triggers, which were found in the first scanning-phase, are used to determine the optimal speed at which the target may be scanned."

Portbunny webpage

Enjoy.