Week 38 in Review – 2010

Events Related:

• Security BSides Kansas City Re-cap – infosecramblings.com
  BSidesKC was a one day, one track conference packed full of great talks given by great speakers. Below you will find brief descriptions of each talk along with links to the slides where available.
• What I personally learned at CyberRAID – h-i-r.net
  Blind SQL injection and RCE exploits are very popular, so crafty hackers and pen-testers often try to leverage these vulnerabilities to launch some process that can notify them that their exploit has worked.
• SOURCE Barcelona Day #1 Wrap-Up – rootshell.be
  From the organizers, the number of registrations grew from fifty to eighty. Not bad!
• News on BruCon
  • BruCON 2010 : Day 0×1 – corelan.be
  • BruCON 2010 : Day 0×2 – corelan.be
  • BruCON 2010 Wrap-Up – rootshell.be

Resources:

• Review: Advanced Penetration Testing (APT) – ethicalhacker.net
  This year I had the opportunity to take a few stellar instructor-led training courses, one of which was Joe McCray’s “Advanced Penetration Testing: Pentesting High Security Environments” course from his training entity LearnSecurityOnline.
• Marcell published “Writing your own password cracker” presentation – red-database-security.com
  Marcell describes different ways to achieve this goal, e.g. source code analyze, debugging or reverse engineering.
• Website Security Statistics Report (2010) – Industry Bechmarks – jeremiahgrossman.blogspot.com
  “How are we doing?” That’s the question on the mind of many executives and security practitioners whether they have recently implemented an application security program, or already have a well-established plan in place.
• How to View a Report in WACA? – msdn.com
  Web Application Configuration Analyzer v1.0 is the latest tool released by our team that scans a machine for deployment best practices.
• How to Scan a Server using WACA? – msdn.com
  The tool will perform prerequisite scanning first to determine server existence, administrative access, IIS and SQL versions and remote services availability.
• Beyond Nmap: Other network scanners – irongeek.com
  This is a presentation I did for the Blugrass ISSA chapter. Tools covered, at least lightly, are: Nmap, Hping, UnicornScan, AutoScan, Netscan, Metasploit, NetworkMiner and of course BackTrack 4 R1.
• DOM Hacking – Paper and Tools – shreeraj.blogspot.com
  DOM Hacking was presented at BlackHat and going to present at next HackInTheBox.

Tools:

• Websecurify 0.8 Alpha 1 – code.google.com/p/websecurify/
  Websecurify is a powerful web application security testing platform designed from the ground up to provide the best combination of automatic and manual vulnerability testing technologies.
• Dom Xss Test Cases Wiki Project – code.google.com/p/domxsswiki/
  Dom Xss Test Cases Wiki is a KB for defining sources of attacker controlled inputs and sinks which potentially could introduce DOM Based Xss issues.
• Havij – Advanced Automated SQL Injection Tool– darknet.org.uk
  Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.
• Web Application Configuration Analyzer v1.0 RTW is live! – msdn.com
  Web Application Configuration Analyzer (WACA) is a tool that scans a server against a set of best practices recommended for pre-production and production servers.
• TA-Mapper: Application Penetration Testing Effort Estimator – coffeeandsecurity.com
  Time and Attack Mapper (alternatively known as TA-Mapper) is an effort estimator tool for blackbox security assessment (or Penetration Testing) of applications.
• skipfish 1.67b – code.google.com/p/skipfish/
  A fully automated, active web application security reconnaissance tool.
• Ethical Hacking ASP.NET 1.3.0.1 – ethicalhackingaspnet.codeplex.com/
  The v.1.3.0.1 contains minor fixes and enhancements to the Padding Oracle test.
• CERT Basic Fuzzing Framework Update – cert.org
  The BFF is a framework to perform file mutation fuzzing for Linux applications.
• Samurai WTF 0.9 BruCON pre-release – brucon.org
  Justin Searle was so kind to release the latest version of Samurai Webapplication Testing Framework made for the BruCON workshops.
• PyLoris 3.2 – sourceforge.net/projects/pyloris/
  PyLoris is a scriptable tool for testing a server’s vulnerability to connection exhaustion denial of service (DoS) attacks.

Techniques:

• Detecting the CVE-2010-3081 high-profile exploit – ksplice.com
  The binary is compiled for RHEL 5/CentOS 5, but it works correctly on a number of other platforms including Debian Lenny and Ubuntu.
• Really, Adobe? – attackvector.org
  Anyway, a penetration testing company named Ramz Afzar has released an unofficial patch to fix the Adobe vulnerability, because apparently Adobe has had a difficult time figuring one out on their own.
• Can Your IPv4 Firewall Be Bypassed by IPv6 Traffic? – cerias.purdue.edu
  I was surprised to discover that IPv6 was enabled on several hosts with default firewall policies of ACCEPT and no rules.
• “Hot Video” pages: analysis of an hijacked site (Part I) – zscaler.com
  I was fortunate enough to find a hijacked site which was being used to host fake “Hot video” pages, which I’ve blogged about before.
• Web Application Penetration Testing Script – Part 3 – pauldotcom.com
  My third python web testing script in this series is a blind SQL injection script.
• Episode #113: Checking for Prints – commandlinekungfu.com
  Right, so I needed to come up with something quick for this week because of my travel time crunch. And as I was prepping to head to Vegas, the perfect idea occurred to me as I typed the following command.
• Laszlo’s presentation “Oracle Post Exploitation Techniques” and Marcel’s Sybase ASE Password Cracker – red-database-security.com
  Last weekend I gave a presentation “Security comparison of different databases” (Oracle, MySQL, MSSQL, DB2 LUW, PostgreSQL and Sybase ASE) at the Hacktivity 2010 conference in Budapest.
• Advanced Burp Suite Automation – redspin.com
  BurpExtender.java takes full advantage of the IBurpExtender interface and accepts a starting URL, output name, and optional cookie string on the command line.
• Geolocation Using BSSID – attackvector.org
  This was discussed at DefCon 18 in a talk by Sammy Kamkar, but as far as I know, Sammy didn’t release his code, so I had to come up with something on my own.
• Network assessment and analysis with nast – bailey.st
  A very comprehensive syntax and a human readable output make the usage less cryptic. This isn’t a replacement for Tcpdump, it’s an addition!
• Twitter OnMouseOver XSS – hp.com
  Is it my imagination or do they appear to be black-listing certain inputs?
• Impersonating the Windows Print Spooler for Relayed RPC – metasploit.com
  On Friday night, I committed our exploit module which takes advantage of the vulnerability fixed in MS10-061.
• Kill the hash with hashKill – bailey.st
  Hashkill is an multithreaded password cracker that uses the OpenSSL library to crack different types of password hashes.
• Revenge of the Bind Shell – room362.com
  At the April 2010 NoVA Hackers meeting I discussed some of the offensive uses of IPv6 on current networks.
• XSS Zones – thespanner.co.uk
  One of the impossible problems of the web is how do you protect against site that has a persistent XSS hole yet requires JavaScript to function.
• Pentesting privilege escalation in web applications – itsecuritylab.eu
  It is clear that if you just would click “here and there” manually (or even copy some URLs) as low-privileged user – you still may omit something important very easily.

Vulnerabilities:

• ASP.NET Padding Oracle Vulnerability
  Everybody’s talking about the ASP.NET Padding Oracle vulnerability released a few days ago at the ekoparty Security Conference.
  • ASP.NET padding oracle (crypto) vulnerability announced – terminal23.net
  • How to check if your application is vulnerable to the ASP.NET Padding Oracle Vulnerability – acunetix.com
  • Padding oracle detection script – asp.net
• Microsoft Windows Live Safety Scanner (OneCare) Download and Execute Exploit – rec-sec.com
  A vulnerability has been found in Microsoft Windows Live Safety Center (OneCare) which allows an attacker to download and execute files (executables) to a victim machine.

Vendor/Software Patches:

• Adobe fixes Flash security hole
  Adobe Systems Inc. today rushed out a software update to remedy a dangerous security hole in its ubiquitous Flash Player that hackers have been exploiting to break into vulnerable systems.
  • Security Fix for Critical Adobe Flash Flaw – krebsonsecurity.com
  • Yet Another Adobe Flash Painful Update – hackademix.net

Other News:

• Google Adds 2-Factor Security to Gmail, Apps – krebsonsecurity.com
  Users who choose to take advantage of the technology can have the codes sent via text message or a special Google mobile app.
• More Stuxnet news
  • Stuxnet – Cyber Warfare In 2010 – chaptersinwebsecurity.blogspot.com
  • Is Stuxnet the Beginning of the Cyberwar Era? – sans.edu
  • Stuxnet Update – avertlabs.com
  • Stuxnet, Suxnet – isc2.org
• DIY Laser Listening Device – hackedgadgets.com
  The idea is that sound from someone speaking will vibrate the window that is in the same room as them. If you bounce a laser beam from a 5mW laser module off the window the laser beam will be deflected slightly as the window vibrates.
• Five Reasons “dot-secure” Will Fail – taosecurity.blogspot.com
  The officer, Gen. Keith B. Alexander, suggested that such a heavily restricted network would allow the government to impose greater protections for the nation’s vital, official on-line operations.