Week 26 In Review

Resources

  • Electronic Frontier Foundation Know Your Rights! Guide
    Your computer, your phone, and your other digital devices hold vast amounts of personal information about you and your family. Can police officers enter your home to search your laptop? The Electronic Frontier Foundation (EFF) has answers to these questions in our new “Know Your Digital Rights” guide.

  • Introducing the CWSS
    The Common Weakness Scoring System (CWSS) is intended to give developers and customers a better idea of which weaknesses should be accorded the highest priority. A buffer overflow discovered during a code audit is, for example, assigned a lower CWSS score if the data used to trigger the overflow is not derived from user input. Memory leaks which lead to crashes are given an even lower score.

  • Dave Aitel And His Process For Security Research – resources.infosecinstitute.com
    In our ongoing series of interviews, this week Dave Aitel answered a few questions and pulled back the curtain a bit on the methods, tools and motivation for the work he does.
  • Protecting your web apps from the tyranny of evil with OWASP – troyhunt.com
    So my first conference presentation is now done and dusted at DDD Sydney. Given I’m writing this in advance with the intention of making the material available immediately afterwards, I’ll need to rely on others to comment on how it all went. The important bit is that the slides are now available here and all the code used in the examples is here.

Tools

  • Netragard’s Hacker Interface Device (HID) – snosoft.blogspot.com
    We (Netragard) recently completed an engagement for a client with a rather restricted scope. The scope included a single IP address bound to a firewall that offered no services what so ever. It also excluded the use of social attack vectors based on social networks, telephone, or email and disallowed any physical access to the campus and surrounding areas. With all of these limitations in place, we were tasked with penetrating into the network from the perspective of a remote threat, and succeeded.
  • UPDATE: Nmap 5.59BETA1! – nmap.org/download.html
    Nmap (“Network Mapper”) is a free and open source utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
  • UPDATE: The Social-Engineer Toolkit v1.5.2! – secmaniac.com/download
    The Social Engineering Toolkit (SET) is a python-driven suite of custom tools which solely focuses on attacking the human element of penetration testing.  It’s main purpose is to augment and simulate social-engineering attacks and allow the tester to effectively test how a targeted attack may succeed.
  • UPDATE: Web Security Dojo v1.2! – sourceforge.net/projects/websecuritydojo/files/
    A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo. The Web Security Dojo is for learning and practicing web app security testing techniques. It is ideal for self-teaching and skill assessment, as well as training classes and conferences since it does not need a network connection. The Dojo contains everything needed to get started – tools, targets, and documentation.
  • Syringe: A Process Shellcode/DLL Injector! – www.securestate.com/Documents/syringe.c
    If you remember about an old post of ours – Shellcodeexec, you might have a faint idea of what Syringe does. Shellcodeexec is a small script to execute in memory a sequence of opcodes. What it does is it spawns a new thread where the shellcode is executed in a structure exception handler (SEH). Syringe is a general purpose injection utility for the Windows platform.
  • sslsniff v0.7 – SSL Man-In-The-Middle (MITM) Tool – darknet.org.uk
    It’s been a while since the last sslsniff release back in August 2009 with version 0.6 – sslsniff v0.6 Released – SSL MITM Tool. Version 0.7 was finally released earlier in the year in April – so here it is. This tool was originally written to demonstrate and exploit IE’s vulnerability to a specific “basicConstraints” man-in-the-middle attack. While Microsoft has since fixed the vulnerability that allowed leaf certificates to act as signing certificates, this tool is still occasionally useful for other purposes.
  • Advanced Windows Password Recovery – openwall.com
    As part of Dhiru Kholia’s GSoC 2011 project, support for cracking of password-protected WinZip archives with AES encryption has been added. As currently implemented, false positives may occur (in other words, non-working passwords may be found), typically if the actual password is complicated.  Hopefully, this shortcoming will be addressed at a later time.

Techniques

  • Metasploit Payloads Explained
    Payload selection is something that rarely gets talked about in detail. Most PoCs just use calc.exe, netcat, or some kind of socket. The vast majority of Metasploit tutorials, videos and documentation use the windows/meterpreter/reverse_tcp payload which is only one of 224 possible payloads.

  • Fxsst.dll Persistence: The Evil Fax Machine – room362.com
    Nick Harbour wrote a post on Mandiants blog about some Malware that was using a dll called ‘fxsst.dll’ to hide and stay persistent on a system. The DLL is used by Windows when it is acting as a Fax server (anyone still do that?).
  • MS11-030: Exploitable or Not? – community.rapid7.com
    If you weren’t already aware, Rapid7 is offering a bounty for exploits that target a bunch of hand-selected, patched vulnerabilities. There are two lists to choose from, the Top 5 and the Top 25 . An exploit for an issue in the Top 5 list will receive a $500 bounty and one from the Top 25  list will fetch a $100 bounty. In addition to a monetary reward, a successful participant also gets to join the elite group of people that have contributed to Metasploit over the years.
  • Meterpreter HTTP/HTTPS Communication – community.rapid7.com
    The Meterpreter payload within the Metasploit Framework (and used by Metasploit Pro) is an amazing toolkit for penetration testing and security assessments. Combined with the Ruby API on the Framework side and you have the simplicity of a scripting language with the power of a remote native process. These are the things that make scripts and Post modules great and what we showcase in the advanced post-exploit automation available today.
  • Process Injection Outside of Metasploit – carnal0wnage.attackresearch.com
    You may find yourself needing to do process injection outside of metasploit/meterpreter. A good examples is when you have a java meterpreter shell or you have access to gui environment (citrix) and/or AV is going all nom nom nom on your metasploit binary.
  • Universal DEP/ASLR bypass with msvcr71.dll and mona.py – corelan.be
    Over the last few weeks, there has been some commotion about a universal DEP/ASLR bypass routine (written by Immunity Inc)  using ROP gadgets from msvcr71.dll and the fact that it might have been copied into an exploit submitted to Metasploit as part of the Metasploit bounty. For the record, I don’t know exactly what happened nor have I seen the proof… so I’m not going to make any statements about this or judge anyone.

Other News

  • Take a bow everybody, the security industry really failed this time – erratasec.blogspot.com
    I haven’t said anything about Lulzsec publicly yet and I don’t really have a good reason for the lack of comment. I have been watching their activities with great amusement. On Saturday I saw they released a large list of routers IP addresses and the username and passwords. The passwords looked like they were set to default values.
  • Human Error Fuels Hacking As Tests Show Nothing Stops Human Idiocy – bloomberg.com
    The U.S. Department of Homeland Security ran a test this year to see how hard it was for hackers to corrupt workers and gain access to computer systems. Not very, it turned out. Staff secretly dropped computer discs and USB thumb drives in the parking lots of government buildings and private contractors. Of those who picked them up, 60 percent plugged the devices into office computers, curious to see what they contained. If the drive or CD case had an official logo, 90 percent were installed.
  • University Of California: 3 Banks Can Stop Majority Of Botnets – ghacks.net
    I never really understood why it was this difficulty to identify the people benefiting from running a botnet. I mean, while it is relatively easy to use chained proxies, middleman and other means to stay anonymous, it is not as easy to anonymize the flow of money. Eventually, the money will land at the people who run the botnet.

Leave A Comment