Week 30 In Review

Resources

• Strategies To Mitigate Targeted Cyber Intrusions – dsd.gov.au
  Australian computer networks are being targeted by adversaries seeking access to sensitive information. A commonly used technique is social engineering, where malicious “spear phishing” emails are tailored to entice the reader to open them. Users may be tempted to open malicious email attachments or follow embedded links to malicious websites. Either action can compromise the network and disclose sensitive information.
• OWASP Session Management Cheat Sheet – owasp.org
  A web session is a sequence of network HTTP request and response transactions associated to the same user. Modern and complex web applications require the retaining of information or status about each user for the duration of multiple requests. Therefore, sessions provide the ability to establish variables – such as access rights and localization settings – which will apply to each and every interaction a user has with the web application for the duration of the session.
• Cisco Guide To Securing Cisco NX-OS Software Devices – cisco.com
  This document contains information to help you secure, or harden, your Cisco^® NX-OS Software system devices, which increases the overall security of your network. The document is organized according to the three planes into which functions of a network device can be categorized. It provides an overview of each security feature included in Cisco NX-OS and includes references to related documentation.

Tools

• Websurgery Web Security Testing Tool – sectechno.com
  WebSurgery is another suite of tools for security testing of web applications. It was designed for security auditors to help them with the web application planning and exploitation. Currently, it uses an efficient, fast and stable Web Crawler, File/Dir Bruteforcer and Fuzzer for advanced exploitation of known and unusual vulnerabilities such as SQL Injections, Cross site scripting (XSS), brute-force for login forms, and identification of firewall-filtered rules.
• UPDATE: sslsniff v0.8 with iOS Fingerprinting Support! – thoughtcrime.org/software/sslsniff
  sslsniff is designed to MITM all SSL connections on a LAN and dynamically generates certs for the domains that are being accessed on the fly. The new certificates are constructed in a certificate chain that is signed by anycertificate that you provide.
• NfSpy – ID-spoofing NFS Client – Falsify NFS Credentials – darknet.org.uk
  NfSpy is a FUSE filesystem written in Python that automatically changes UID and GID to give you full access to any file on an NFS share. Use it to mount an NFS export and act as the owner of every file and directory.
• SecureState’s New Page Collector Module for the Metasploit Framework Footprints Web Services in a Shorter Amount of Time – blog.securestate.com
  During penetration tests, consultants often need to target web applications in order to find “low hanging” vulnerabilities such as default password configurations and out of date software.  This task can be very difficult on large networks that are home to many hosts with different web servers often running on a variety of ports.
• Routerpwn: A Web Application For Exploiting Vulnerable Routers – routerpwn.com
  Ever wanted a repository kind of a place for known vulnerabilities that plague network devices? Something that you can use on the go, possibly via your smart phone? Enter Routerpwn a graphical user interface for a lot of local and remote exploits targetting network devices such as residential and commercial routers, switches and access points!
• BTCrack: A Bluetooth Pass Phrase Bruteforcer! – secdev.zoller.lu
  BTCrack is the worlds first Bluetooth Pass phrase (PIN) bruteforce tool! It works by reconstructing the PIN and link key with data sniffed during a pairing exchange. The calculated PIN can then be used to authenticate against a device in pairing mode. During a normal bluetooth pairing process, the two devices involved establish a relationship by creating a shared secret known as a link key.

Technique

• Attacking Web Services SOAP
  I often receive testing related questions from AppSec folks new to web services about the techniques used to discover and attack them. Often, web services are seen as difficult to enumerate, interpret, and exploit as well as an arena with only a small arsenal of tools available.
• Part 1 – resources.infosecinstitute.com
• Part 2 – resources.infosecinstitute.com
• Sqlmap Introduction – SQL injection Walkthrough – hackonadime.blogspot.com
  In prior posts, we’ve discussed performing reconnaissance work on targets. We’ve talked about using FOCA, Maltego and other tools (including some that simply query how the Internet works) and how to gather information from targets about them.
• Minimum Password Length of 15 or More Via GPO – room362.com
  Also known as “How to practice what we preach”. I don’t know how long I’ve been telling clients that they need to have a minimum password length of 15 characters to make it so there is no chance LM will be stored (and a cursory bonus that their password won’t be close to their original). But I’ve never tried setting it myself. Well, a client called me out. You can’t! (well at least not through the UI )
• Metasploit Bounty: The Good, The Bad, and the Ugly – corelan.be
  On June 14, 2011  HD Moore announced the Metasploit Bounty contest,  offering a cash incentive for specific vulnerabilities to be submitted as modules in the Metasploit Framework.  Titled “30 exploits, $5000 in 5 weeks”,  a post on the Rapid7 blog lists the 30 “bounties” selected by the MSF team, waiting for someone to claim and submit a working exploit module.
• MindshaRE: Hooking ReadFile and MapViewOfFile for Vulnerability Analysis – dvlabs.tippingpoint.com
  As Aaron mentioned in another MindshaRE here at ZDI we often get submissions containing only a fuzzed file without any analysis. When analysing those cases it is often useful to know exactly when our vulnerable program reads the bytes that have been changed in the file. This can be done using the hooking technique Aaron described earlier.
• Web Application Fingerprinting Methods, techniques, and Prevention – anatshiri.info
  This Paper discusses about a relatively nascent field of Web Application finger printing, how automated web application fingerprinting is performed in the current scenarios, what are the visible shortcomings in the approach and then discussing about ways and means to avoid Web Application Finger Printing.
• Password Cracking In MetaSploit With John The Ripper – community.rapid7.com
  HDM recently added password cracking functionality to Metasploit through the inclusion of John-the-Ripper in the Framework. The ‘auxiliary/analyze/jtr_crack_fast’ module was created to facilitate JtR’s usage in Framework and directly into Express/Pro’s automated collection routine.
• Introducing FiveBelow, the dummy file fuzzer – net-ninja.net
  As some of you may know, I can at times begin on a project and then often “concede” based on scope creep/laziness/lack of interest/no time. Lately I have had a sudden change of heart and decided that its about time I have more persistence.
• tcpdump and ngrep – securityonion.blogspot.com
  tcpdump’s advantage is that it is more universally available than ngrep.  If you’re doing Incident Response on a Unix box of some kind, chances are that it already has tcpdump installed and you can use that to look for suspicious traffic.
• Pentesting with BackTrack and Offensive Security Certified Professional – g0tmi1k.blogspot.com
  Up until a month or so ago, everything I’ve learnt was done by using various free resources online. Last month however, I became an “offsec” student. I enrolled on the “Pentesting with BackTrack” (PWB) course, currently version 3 (syllabus). After the lab time is over, the student has the option of sitting an exam. Upon passing the exam, the student is awarded an Offensive Security Certified Professional (OSCP) certificate. I now have that certificate =). This is my review of it all.
• Protecting Your OSX With IPFW and Little Snitch – blog.c22.cc
  So, after posting on twitter about my OSX firewall configuration, a few people asked me to post up a copy of my rules. Now, I’m by no means a OSX expert, an IPFW expert, or a networking expert for that matter…. but this configuration could be useful as a starting point for people.

Vulnerabilities

• Cisco Security Advisory: Cisco TelePresence Recording Server Default Credentials for Root Account Vulnerability – cisco.com
  Cisco TelePresence Recording Server Software Release 1.7.2.0 includes a root administrator account that is enabled by default. Successful exploitation of the vulnerability could allow a remote attacker to use these default credentials to modify the system configuration and settings.

Vendor/Software Patches

• Apple SSL Fix
  Apple has released another new version of its iOS operating system for iPhones and other devices that fixes a security vulnerability in the way that the software handled SSL certificates and validated their authenticity. An attacker exploiting the bug might be able to intercept SSL traffic, Apple warned.
• Apple Fixes SSL Man-in-the-middle Bug in iOS 4.3.5 – threatpost.com
• iOS SSL Implementation Does Not Validate Certificate Chain – blog.spiderlabs.com
• Unpatched iPhone/iPad Secure Connections Not So Secure – nakedsecurity.sophos.com

Other News

• US-Cert Director Leaves Abruptly – informationweek.com
  U.S. Computer Emergency Readiness Team (US-CERT) director Randy Vickers resigned his position Friday, effective immediately, according to an e-mail to US-CERT staff sent by Bobbie Stempfley, acting assistant secretary for cybersecurity and communications, and obtained byInformationWeek. A Department of Homeland Security (DHS) spokesperson confirmed the email was authentic.
• How A Security Researcher Discovered The Apple Battery Hack – wired.com
  A security “noob” mistake has left the batteries in Apple’s laptops open to hacking, which could result in a bricked battery or, in a worst case scenario, fire or explosion. This was revealed Friday after Accuvant Labs security researcher Charlie Miller disclosed that he plans to detail the hack at the annual Black Hat security conference in early August.
• Researchers Break Military Chip Encryption Keys Using Nvidia Tesla GPUs – cyberarms.wordpress.com
  German IT Security researchers at Ruhr University have recently released a report documenting the ability to crack strong encryption used in programmable chips. These chips are used in Military and Aerospace embedded systems.
• How I Taught The Senate To Hack – threatpost.com
  What happens when 20-something Beltway wonks put down their Blackberries and start getting real about hacking? Chris Wysopal can tell you. The security expert and former L0pht member is just back from D.C., where he took on the job of teaching Senate staffers on the Homeland Security and Governmental Affairs Committee about SQL injection, spear phishing and more.
• Flying Drone Can Crack Wi-Fi Networks, Snoop On Cell Phones – forbes.com
  How do one ex-Air Force official and one former airplane hobby shop owner, both of whom happen to have decades of experience as network security contractors for the military, spend their weekends? Building a flying, unmanned, automated password-cracking, Wi-Fi-sniffing, cell-phone eavesdropping spy drone, of course.
• Researchers Say Vulnerabilities Could Let hackers Spring Inmates From Jail – wired.com
  Some of the same vulnerabilities that the Stuxnet superworm used to sabotage centrifuges at a nuclear plant in Iran exist in the country’s top high-security prisons, according to security consultant and engineer John Strauchs, who plans to discuss the issue and demonstrate an exploit against the systems at the DefCon hacker conference next week in Las Vegas.