Week 44 in Review – 2012

Event Related

• Hashdays
• Hashdays Wrap-up Day #1 – blog.rootshell.be
  I’m in Luzern for a few days but the Hashdays security conference started today! w00t! This is the first edition for me. A very nice opening session performed by the defcon-switzerland group which organises this event.
• Hashdays Wrap-Up Day #2 – blog.rootshell.be
  Yesterday evening, I went with friends to a traditional Swiss restaurant then we passed by the party to have a few drinks. Thanks to the sponsor for the open bar! That’s why it was difficult to wake up this morning…
• Toorcon – xysec.com
  Directory listing for toorcon.
• Hack in the Box – conference.hackinthebox.org
  Hack in the box conference 2012 materials.
• Pumpcon 2012 Review – Blueray Hacking and BacNet – infosecalways.com
  My first time at Pumpcon and it was quiet educational and fun. Nothing like being with a small group of smart people drinking and talking about computers.
• Advanced Persistent Pentesting – blog.pentestify.com
  This is a talk on pentesting given at Hacker Halted 2012 by Jonathan Cran and Jason Malley.

Resources

• Ending the Love Affair with ExploitShield – blog.trailofbits.com
  ExploitShield has been marketed as offering protection “against all known and unknown 0-day day vulnerability exploits, protecting users where traditional anti-virus and security products fail.”
• Hacking SVN, GIT and MERCURIAL – resources.infosecinstitute.com
  We all know that when programming with a small or large team, having a revision control in place is mandatory. We can choose from a number of revision control systems. The following ones are in widespread use worldwide.
• x86 Assembly Language Applicable To Reverse Engineering: The Basics – Part 2 – resources.infosecinstitute.com
  We saw in the first article an introduction to the most common x86 assembly instructions seen when it comes to disassembling and analyzing programs. We talked about registers, the stack / pile, flags , conditional jumps and the instruction of comparison CMP.
• Deep Inside a DNS Amplification DDoS Attack – blog.cloudflare.com
  A few weeks ago I wrote about DNS Amplification Attacks. These attacks are some of the largest, as measured by the number of Gigabits per second (Gbps), that we see directed toward our network.
• Mobile Penetration Testing: There’s An App For That – mobileprivacy.org
  When most people think of penetration testing, they think of a simulated external attack where the tester tries to break into a network from a remotely.
• Q: A Collection of Metasploit Modules – resources.infosecinstitute.com
  I guess we all know what Metasploit is, so we don’t really need to present to the reader the basics of Metasploit. But it’s still useful if we present the type of modules the Metasploit has. Metasploit has the following types of modules.
• iOS Security: Objective-C and nil Pointers – blog.ioactive.com
  iOS devices are everywhere now. It seems that pretty much every other person has one…an iPhone, iPad or iPod touch – and they’re rivaled in popularity only by Android devices.
• IT Threat Evolution: Q3 2012 – securelist.com
  During Q3 2012, over 9,000 new malicious .dex files were added to our malware collection. This is 5,000 files fewer than last quarter but 3,500 more than in Q1 2012.
• Crypto for Pentesters – securityhorror.blogspot.com
  Cryptography (or cryptology; from Greek κρυπτός, kryptos, “hidden, secret”; and γράφω, gráphō, “I write”, or -λογία, -logia, respectively) is the practice and study of hiding information.
• Defeating Windows Driver Signature Enforcement #1: default drivers – j00ru.vexillium.org
  One of the obvious things about the Windows operating system for anyone actively working on its kernel security is that the Driver Signature Enforcement (DSE in short) is not effective and can be bypassed with relative ease by any determined individual.

Techniques

• WinRM
• Weekly Metasploit Update: WinRM Part One, Exploiting Metasploit, and More! – community.rapid7.com
  For the last couple weeks, Metasploit core contributor David @TheLightCosine Maloney has been diving into Microsoft’s WinRM services with @mubix and @_sinn3r. Until these guys started talking about it, I’d never heard WinRM.
• Exploiting Trusted Hosts in WinRM – netspi.com
  Windows Remote Management (WinRM) is a SOAP based protocol that can be used to remotely administer machines over the network. This is a handy tool for network admins that can also be used to automate tasks securely across multiple machines. However, it is fairly easy to misconfigure the service and/or abuse the service with legitimate account access.
• Finding Admin Access – room362.com
  You’ve got shell, and a set of credentials but you’re coming up empty on what you can do with those credentials. This is especially problematic when you can’t get past UAC as you are either in a AlwaysNotify situation or not a local admin.
• Windows Deployment Services Clear Text Domain Creds – rewtdance.blogspot.com
  Dave, Rel1k, Kennedy’s talk ‘Owning One To Rule Them All’ at Defcon 20 Las Vegas opened my eyes to using a client’s PXEBoot service, normally Windows Deployment Services, to infiltrate their network. The gist of the attack is simple, network boot a computer, retrieve the corporate image, and use that to gain information/credentials for the corporate domain.
• New Security Assertions in “Windows 8″ – alex-ionescu.com
  Anyone reversing “Windows 8″ will now find a non-familiar piece of code, whenever a list insertion operation is performed on a LIST_ENTRY.

Tools

• Jigsaw – github.com
  Jigsaw.rb is a simple ruby script for enumerating information about a company’s employees. It is useful for Social Engineering or Email Phishing Collaborative project between Royce Davis (R3dy) and humble-desser.
• Burp Suite Free Edition v1.5 released – blog.portswigger.net
  Burp Suite Free Edition v1.5 is now available to download. This is a significant upgrade with a wealth of new features added since v1.4. The most notable of these are described below.
• Introducing Responder-1.0 – blog.spiderlabs.com
  Responder is a multi threaded tool that answers to IPv4 LLMNR (Link-local Multicast Name Resolution) and Netbios Name Service (NBT-NS) queries.

Vulnerabilities

• Microsoft’s security team is killing it: Not one product on Kaspersky’s top 10 vulnerabilities list – thenextweb.com
  Microsoft products no longer feature among the Top 10 products with vulnerabilities. This is because the automatic updates mechanism has now been well developed in recent versions of Windows OS.

Vendor/Software Patches

• for loops! Bash One-liners to Validate Vulnerabilities on Multiple Hosts – blog.opensecurityresearch.com
  This is a quick blog post on one-liners. Recently I was working on manually validating vulnerabilities for a customer with a very large Internet presence.
• CA ARCserve – CVE-2012-2971 – offensive-security.com
  On a recent penetration test, we encountered an installation of CA ARCserve Backup on one of the target systems that piqued our interest. Like most “good” enterprise applications, ARCserve has processes that are running as SYSTEM so naturally, we went straight to work looking for vulnerabilities.

Other News

• Meet the network operators helping to fuel the spike in big DDoS attacks – arstechnica.com
  A company that helps secure websites has compiled a list of some of the Internet’s biggest network nuisances—operators that run open servers that can be abused to significantly aggravate the crippling effects of distributed denial-of-service attacks on innocent bystanders.
• Government-Funded Hackers Say They’ve Already Defeated Windows 8’s New Security Measures – forbes.com
  Last week’s Windows 8 launch wasn’t just a major product release for Microsoft. It seems to have been a banner day for the government-funded hackers who take Microsoft’s software apart, too.
• Final Report on DigiNotar Hack Shows Total Compromise of CA Servers – threatpost.com
  The attacker who penetrated the Dutch CA DigiNotar last year had complete control of all eight of the company’s certificate-issuing servers during the operation and he may also have issued some rogue certificates that have not yet been identified.
• The Biggest Problem in Computer Security – carnal0wnage.attackresearch.com
  People tend to focus on various areas as being important for computer security such as memory corruption vulnerabilities, malware, anomaly detection, etc. However the lurking and most critical issue in my opinion is staffing.
• PayPal security holes expose customer card data, personal details – scmagazine.com.au
  A security researcher has reported finding dangerous website flaws in Paypal that grant attackers access to customer credit card data, account balances and purchase histories.
• Most U.S. Drones Openly Broadcast Secret Video Feeds – wired.com
  Four years after discovering that militants were tapping into drone video feeds, the U.S. military still hasn’t secured the transmissions of more than half of its fleet of Predator and Reaper drones, Danger Room has learned.