ProxyStrike v2.0 released!

I'm pleased to announce a new version of ProxyStrike, an active Web Application Proxy, a tool designed to find vulnerabilities while browsing an application. It was created because the problems we faced in the pentests of web applications that heavily depends on Javascript, not many web scanners did it good at this stage, so we came with this proxy.

Right now it has available Sql injection, XSS and Server side includes.

Highlights from this release:

• Plugin engine (Create your own plugins!)

• Automatic crawl process

• Request interceptor

• Request diffing

• Request repeater

• Save/restore session

• Http request/response history

• Request parameter stats

• Request parameter values stats

• Request url parameter signing and header field signing

• Use of an alternate proxy (tor for example ;D )

• Attack logs

• Export results to HTML or XML

* Sql attacks (plugin)

• Server Side Includes (plugin)

• Xss attacks (plugin)

Check it at: http://www.edge-security.com/proxystrike.php

Here is a video of the tool:

Great Job from Carlos del Ojo (deepbit) for this new release

-CMM

Security Industry Salary and Certification Survey 2008

Sans Institute released an excellent study about the salaries in the Security industry and relations with certifications. This is a great study for the professionals to know where they are in relation with they career. I would like to see one of these studies for Europe, this one particularly covers USA.

The survey shows that the Security industry is one of less affected by the crisis, and where the companies plan to invest in this year.

If someone need help for a European version, let me know.

Download here

Here you have some interesting bits:

• Salaries for information security professionals are high. Over 38% of respondents earn US $100,000 or more per year.

• 41% of the respondents said their organizations use certifications as a factor when determining salary increases.

• The overall mean funding for training was US $2,854 per year with a median of US $2,000 per year.

• Digital forensics, intrusion detection, and penetration testing are the technical topics respondents are most interested in learning in 2009.

• As of late November 2008, just over 79% of respondents forecast no information security personnel reductions in the next 12 months.

• Over 25% of respondents plan to deploy the following technologies in 2009:

  • Configuration Management
  • SIEM (Security Information and Event Management)
  • Storage Security
  • Wireless Security Solutions

• The best places to find an information security position are in the metro areas of Las Vegas, Nevada; Dallas, Texas; and Washington, DC.

-CMM

A fresh new look into Information Gathering v2

Here is the new version of my presentation "A fresh new look into Information Gathering v2" that i presented at FIST Conference Barcelona one week ago. It's a overview of some new sources and mostly based on Metadata and Metagoofil V2 (coming soon)

If you have some new source or technique that want to share, you are welcome :)

Download here

Enjoy

-CMM

SOURCE BOSTON experience

I recently came back from Boston were i attended to the SOURCE Conference Boston.

It was really a good conference, an excellent speaker line up, and a great environment to do networking and meet new people from the industry.

The conference had a great balance between technical talks and business talks, addressing all the needs of a security professional.

The conference started with an excellent speech by Peter Kuper, who gave his vision about the security market in these turbulent times. (speech transcript here).

Then during the conference, i attended the followings talks:

How Microsoft fixes security Vulnerabilities, interesting insight about what happens behind the courtain of a security update.

Politically Motivated Denial of Service Attacks, Jose Nazario.

Mac OS Xploitation, Dino Dai Zovi (Dino promised to transform OSX in a first class citizen in Metasploit)

Attacking Layer 8: Client Side penetration testing, Chris Gates and Vince Marvelli. They show how easy is to own the end user.

DNS: Towards the Secure Infrastructure, Dan Kaminsky. This was the same presentation as DC.

Day 2:

L0phtCrack 6 Release

400 apps in 40 days, Sahba Kazerooni. He explained how he faced a weird project of 400 applications in 40 days.

Get rich or Die Trying, Jeremiah Grossman. A cool talk on how to earn money exploiting different application vulnerabilities.

Vulnerabilities in Application Interpreters and Runtimes. Erik showed some vulnerabilities on different widely deployed interpreters and runtimes.

Day 3:

Dissecting Foreign Web Attacks, Val Smith. Val analyzed a web attack from start to end, great info in his talk.

That's all for 3 days.

Greets to Chris Gates, Vince Marvelli, Val Smith, Jose Nazario, Stacy Thayer, Christien Rioux, and everyone that i met at Boston.

Now SOURCE Barcelona is next, in the coming days we will launch the Call for papers, don't miss this great conference in this great city :)

-CMM

Fist Conference - Source Boston

The FIST Conference is over, i just came home and now i'm preparing my backpack for tomorrows trip to NY and Boston, were i will attend SOURCE Conference Boston :)

The talk of Jay Libove was very interesting, he made us think over the ethics in our career, and

Vicente Diaz talk about eCrime economy showin

g some unbelievable facts and numbers, we are really outnumbered... My talk was about Information Gathering, Metadata and Social Networks, showing how easy is to obtain information about individuals and companies.

The slides will be available soon at www.fistconference.org

Here is a screenshot of the next Metagoofil version that i showed today:

Yes it has the "Analyze local files" that many of you asked for :)

-CMM

Warvox: Wardialing refreshed

The people of Metasploit released a new tool for performing Wardialing attacks. You must be wondering why a new wardialing tool in these times?

Well they came with a new idea, on using Voip services to perform the scans and they claim to reach 10.000 numbers in 8 hours aprox. No modem needed, yes you read right.

One of the great things about the WarVOX model is that once the data has been gathered, it is archived and available for re-analysis as new signatures, plugins, and tools are developed.

Also is interesting the analysis they perform, because they identify more things than a modem attached to a telephone line:

This model allows WarVOX to find and classify a wide range of interesting lines, including modems, faxes, voice mail boxes, PBXs, loops, dial tones, IVRs, and forwarders. WarVOX provides the unique ability to classify all telephone lines in a given range, not just those connected to modems, allowing for a comprehensive audit of a telephone system.

The tool is coded in ruby and you can download here

-CMM

Quick tip: Sharing a directory over the web easily

Sometimes you need to share a file, show someone a file, serve a client side exploit in a local network, but you don't have a web server on your machine, or don't want to upload the file to a server... Here is a very useful tip to run a web server serving the actual directory with Python:

shell>python -c "import SimpleHTTPServer;SimpleHTTPServer.test()"

there is an easier way:

shell>python -m SimpleHTTPServer

By the default it will use the port 8000.

You can create an alias for easy launching

More shell tricks in Shell-fu.org

-CMM