Friday, January 30, 2009

Protecting users from password theft

A very good article from Chris Eng (Veracode), about how developers can design a strong password scheme in the applications to protect users from password theft. 

Suppose that your database is stolen (hope no) is  the data protected? the thiefs could revert back the passwords easily?  In my lasts pentest the passwords were stored in clear texts..... so it's common practice to have the password stored in an insecure way, or even clear text.

Here is a good practice for your developers or customers:

Veracode - How to protect your users from password theft


Wednesday, January 28, 2009

PCI for dummies

Qualys, the leader provider of vulnerability scans, has published a free e-book entitled "PCI for dummies", if you want to get a grasp of what it is the PCI (Payment Card Industry), and learn how to comply with it, you can download your copy here:



DVL 1.5 - a hacking playground

A new version of the most vulnerable distribution was released yesterday. This Linux distribution is known for providing resources to learn security and hacking.  It's loaded with training material, vulnerable software, and tools. 

It's a very interesting distribution to have in your lab, for testing
your tools in a controlled environment.

The new version 1.5 (Infectious disease) it's a 1.6 GB ISO image, and it's available to download here

Happy hacking


Web Application vulnerability scanners comparison

Today a saw a message from "Anantasec" in the mailing "pen-test" about a evaluation/comparison of Web Application scanners. 

The products analyzed are IBM Appscan (7.7.620 SP2), HP Webinspect (7.7.869)  and Acunetix (6.0), all commercial products.

The analysis only evaluate the results of the scans against 16 applications, it doesn't compare features, options or capabilities of the products.

After reading the report i have some doubts about the origin of it. Maybe could be a biased analysis for Acunetix? It's an Anonymous writer, a blog with just one post.. it makes me wonder. (damn, no interesting metadata in the document )

Personally i used all the scanners and i'm happy with Appscan, i'm missing the scheduling option of Webinspect. Also Acunetix improved a lot in the latest versions, and could be an interesting option when considering price/value.

An interesting fact of the analysis is that each of the scanners performed better when scanning the demo application of their company :)
Here is the report from Anantasec, draw your own conclusions

Remember to use more than one tool for the task, to have complimentary result, and also that the scanner will not discover all the vulnerabilities on the application, so don't rely on them.

I always use ProxyStrike when doing the manual analysis of the application, and i discover XSS and SQL that none of the scanners mentioned before does. Btw a new version is coming!

If you want more options on Web application scanners don't forget the Open Source options, right now there is a clear leader in this field, W3aF, it's very complete and even have more plugins or checks than the commercials one, and is multi-platform.

What are you using?


Tuesday, January 27, 2009

Information Gathering III: Yasni and 123people

After the posts about Information Gathering about individuals using Spokeo and Pipl, now it's the turn of Yasni and 123People.

has an standard search page, where you have to put the name of the person you want to search information about. The result page is organized in "All, Personal, Business, News, Other Web pages and Comments", and the quantity and quality of the results is very good.

An interesting feature of Yasni is the Tag cloud about your target, in some cases is useful to check if it is really your target (assuming you know something about him/her).

Yasni also offers an "Agent search", which they say it will perform an exhaustive deep web search, and will return the results in 24 hours. I'm waiting for the firsts examples to arrive :)

The last people search engine i will review in this miniseries is "123people", one of the most used service on the net, and personally one of the best in the results organization. 

123 people results are organized in "web links, Amazon, Phone Numbers, Videos, News, Microblogs, Pictures, Blogs and Documents, and Social network profiles", 123people also has a Tag cloud like Yasni. 

123People has an email alert service, for receiving updates about your targets.

Right now we can say that the results are very similar between  the different services and we have to wait to see which will reign the people search engine terrain.

I have my preferences with 123people and Pipl,  but i recommend to use as much as possible when  performing an information gathering about a target.  All this services are oriented to the web and the social networks, there are other kind of services that will provide more information but they aren't free and the information is only available for certain countries, i will write a post about this services soon.

What's is your choice? 


Thursday, January 22, 2009

Information Gathering II :

Well after writing about Informationg Gathering and Spokeo, now it's the turn of as you can tell from the name is oriented to search information about individuals.

The application doesn't need a registration, this is good, and the search parameters that you can use is the Name, Last Name, City and Country, but also they  recently added the reverse lookup, where you can use an email address, nickname or phone number!

As usual i started searching for myself, and Pipl shielded more results than Spokeo. In the results we can find online profiles (Facebook, Myspace, etc), photo albums, Youtube accounts, Amazon accounts, blog posts, documents, pictures (with thumbnails) and many other kind of results.

Really is an interesting tool, and is improving over the time.

About the differences between Spokeo and Pipl, is that Spokeo aim to be more of a tracking tool of what is your "friends" doing, than  a one shot search and investigation. Also Spokeo just allow you to do 1 free check, and if you want more you must pay.

Finally one thing that i would like to see in these tools is an API to automate the search, and stop worrying about the changes in the results and the performance of my parsers.

Stay tuned because there are two new contenders in the arena of people search that i am testing this week.
Enjoy your investigations ;)


Wednesday, January 21, 2009

HITB 2008 videos

The videos of the Hack In The Box Conference 2008 are available through Bittorrent, you can download the torrent here:

Also remind that you can download the slides from here


Information Gathering I : Spokeo

Hi all,  i was researching new information gathering sources when i stumble with a website called Spokeo, in their website they claim that it "searches deep within 41 major social networks to find truly mouth-watering news about friends and coworkers", well it seems it's oriented to the gossip world, what everybody loves ;)

After seeing this promising prospect i decide to take a look and try this application, the main option is that you log in with your email account, and Spokeo will retrieve all your contacts and start gathering info about them, that's is not gonna happen in the this test; i prefer to search for a contact using an email address or a blog url.

So i launched a search with myself hoping for a good set of results.... but it was a great disappointing, Spokeo returned a very poor result set, well i though that maybe with other users i will have more results... but no, nothing at all, less info than before.

Maybe  if you allow the use of the API login, with your credentials will shield more results, but i didn't try this option yet.

A curious fact is that Spokeo has created a marketing campaign addressed at Human Resources people with "Spokeo HR", allowing the recruiters to perform an online profile of the candidate.

So it turned to be a good promise with disappointing results.

Do you have any feedback from this application?

Which other application do you recommend?


Tight Budget, conferences and training

Here is an interesting old article from August Blegen, about "Why attend conferences when facing tight budgets" aka recession times, crisis or whatever you like to call the times we are facing. The article perform an analysis on why is important to attend conferences (and professional education) during hard times. I liked this part of the article:

Recession is not a time to pull the cover over and crawl in. It's a time to work harder, work smarter and improve your own development just to maintain your competitiveness.

So if you are very tight on budget here in Barcelona  or Madrid we organize the FIST Conference a free security conference, where you can learn new things and meet new people.

And i recommend to start saving to assist to the SOURCE conference that will take place on Barcelona on September! This will be an awesome event
You can read the whole article here

How are you gonna face the training/education this year?


Zerowine: Malware behavior analysis

Here is a new project aimed to dinamically analyze the behavior of malware. The twist here is that Zerowine will run the malware sample using WINE in a safe virtual sandbox collecting information about the API's called by the sample.

Zerowine is distributed as a QEMU virtual machine with a Debian OS. In the virtual machine is installed Zerowine with a web interface to upload malware samples, check the status of the analysis and finally to present the report.

Here are some screenshots:

Project page: Zerowine

Monday, January 19, 2009

About Windows passwords, hashes and registry

Here is a great set of articles about Windows passwords schemes by 

Syskey and the Sam:

Decrypting LSA Secrets:

Cached Domain Credentials:

Besides the articles, Brendan create a set of tools to use with Volativility that will allow to extract those password from a memory dump:

  • hashdump: dump the LanMan and NT hashes from the registry (deobfuscated). 
  • lsadump: dump the LSA secrets (decrypted) from the registry. 
  • cachedump: dump any cached domain password hashes from the registry. This will obviously only work if the memory image comes from a machine that was part of a domain. 

Wednesday, January 14, 2009

Top 25 Most dangerous coding errors

A joint effort between CWE (Common Weakness Enumeration) and SANS, and with the participation of experts in the field, produced the "Top 25 most dangerous coding errors"  a list of the most significant programming errors that can lead to serious software vulnerabilities, this document will impact in many areas like:

  • Software buyers will be able to buy much safer software. ( with a certificate of code beign free of these 25 bugs)
  • Programmers will have tools that consistently measure the security of the software they are writing.
  • Colleges will be able to teach secure coding more confidently.
  • Employers will be able to ensure they have programmers who can write more secure code. 
"The main goal of the Top 25 list is to stop vulnerabilities at the source by educating programmers on how to eliminate all-too-common mistakes before software is even shipped."

This is a good initiative to have a very brief list of programming errors, so the programmers could use as a guide, the language and examples used are very easy to understand and i guess this will facilitate the adoption by the programmers.

There is a lot of information about secure coding at OWASP, but i guess that this simple guide will be easier to use, than OWASP documentation.

Hope programmers start to use it :)

You can check the list here


Tuesday, January 13, 2009

OWASP Testing Guide v3.0

The new testing guide was released the 18 of December, this is a great project, and very useful for penetration testers.  This version is very complete and is more clean than the previous versions.

You can download here:


Yara Malware Classification tool

A new Malware classification tool is on the block, YARA is a tool aimed at helping malware researchers to identify and classify malware samples. 

YARA is multi-platform, running on Windows, Linux and Mac OS X, and can be used through its command-line interface or from your own Python scripts using the yara-python extension.


Monday, January 12, 2009

Recruiting and Managing Geeks

Via CarnalOwnage i found a very interesting link about recruiting Geeks or technology savvy candidates. The article is called "Open letter from geeks to IT recruiters" and it gives tips to recruiters on how they have to evaluate a candidate for IT. There is also a part about managing Geeks, and that part is more interesting from my point of view.

Here are some tips they gave about managing Geeks:

  • Try to measure productivity in output and not in hours. (article)
  • Assign tasks to the geeks who are most interested in them, not the ones with the most experience.
  • Segregate the corporate, compensatory hierarchy from the leadership hierarchy. Basically this mean that the Geeks will organize in a meritocracy, following the group guru. In my opinion not always will be this way, but a halfway option could be good.

I would like to add some others:
  • Allow them to work remotely.
  • Don't impose absurd procedures, that consume time.
  • Listen to their opinions usually they have very good alternatives or ideas, they are problem solvers and like challenges.
  • Don't impose online content control/management, they are the "online generation", if they are productive why to worry if they are chatting or browsing the net. Most of the times they will be reading information that will improve their work and knowledge, and this is good for you.
  • Give recognition, most of the business today relay on their work, stop and think again how much of your business relay on their work. Management tend to know the work of the geeks when things goes bad, what about of recognize them when everything goes smooth ?
  • Don't burn them, they will leave, they do not tend to stay as other kind of employees.
  • Give them the correct equipment, why people don't understand that a 3 year old computer is not adequate for doing the job in conditions? It's true that they work but they performance is awful and that will demotivate the geek. They spend the whole day working with the computer, usually multitasking,  go and buy them a good and powerful computer, with a big screen or multiple screen setup, productivity will boost... and remember 19" is not a big screen...
  • Let them wear casual clothes in your company, they are not too friends of the tie. But they understand that if the need to go to customer office is necessary to wear the suit.
  • Provide them with a creative environment.
  • Give them training, they will take advantage of it.

Some of this are taken from the "How not to lead geeks".

Do you have other tips?



Friday, January 9, 2009

Virustotal uploader

Here is a new handy tool for uploading files to,  this program will add an entry for the contextual Windows menu to send the file to 

For the ones who don't know, offer a service of online antivirus, using 39 antivirus engines. It's very useful when you need to check a downloaded file or a suspicious file during an investigation.

You can check it here

Info via


Thursday, January 8, 2009

Canvas + Nessus + D2 Bundle

It's good to see how products try to join forces and try to integrate them as much as possible to facilitate the tasks of the pentesters. 

Now the guys at Tenable Networks Security, Immunity and Dsquare Security are offering a 20% discount if you buy the bundle, Nessus Professional Feed+ Canvas  + D2 exploit pack

An example of integration is the plugin that D2 developed, that allow you to import the Nessus results in Canvas, and analyze them to show which exploits can be used on the detected vulnerabilities.

Here is a video where you can watch this feature

Another feature is that the hashes (LM/NTLM)  retrieved with Canvas can be fed into Nessus to perform local checks.

You can have more info here

Wednesday, January 7, 2009

Cisco IOS emulator

Today a discover a great piece of software called Dynamips that will allow us to emulate the CISCO IOS, and run virtual routers and PIXes. You heard right "Emulate" not "simulate", the software actually runs the IOS and let you create interfaces, the software is command line but there is other interesting project called GNS3, which is a graphical network simulator that allows simulation of complex networks.

I'm starting to play with this thing, but seems pretty solid, there are people that are running in their homes as PIX firewalls, routers, ipsec vpns and QoS, with GNS3.
This is very interesting when you need to test something in a real IOS, and you don't have the necessary hardware.

It's important to remark that you will need the CISCO IOS images.


25C3 Presentations

As usual the last 25C3 was held in Berlin, and the presentations are online (not all of them)

You can download check it here: CCC presentations



Thursday, January 1, 2009

IE7 0day

Hi we open the year with a guest post from Vicente Diaz, he will participate with guest posts during this new year 2009, Welcome Vicente!

Last vulnerability in Internet Explorer 7 was a bad one, affecting all previous versions and giving little time to patch it since malware started to take advantage of it. As explained in my post at S21sec´s blog (spanish), the vulnerability was used in a massive SQL injection campaign along many other vulnerabilities affecting Real Player, Adobe Acrobat and MS Office among others.

The discovery of the vulnerability seems to be in China, rounding the dark market by mid November, but the disclosure was after MS patching Tuesday during December. However, the question of HOW it was discovered has not an easy answer ... I was reading about this at Microsoft´s blog and it is not clear at all. Even using SDL this vulnerability is not easy to spot, much more difficult without having the code (as I assume). There is not much room for fuzzers (but they might be useful), and not likely to happen just by chance, so it seems someone really took bug finding in IE 7seriously.

You see these vulnerabilities appearing from time to time, but when you stop to think about this, is really amazing. As guys at MS say, bad guys have all time in the world to look for vulnerabilities but developers have tight deadlines and limited resources. This is true, and this makes necessary the use of several layers for security, but my final thought is that bad guys are going really professional, so we still have a lot of work to do to stop them.


Wfuzz 2.2.0 released

I'm pleased to announce a new version of WFuzz! Wfuzz has been created to facilitate the task in web applications assessments and it...