Week 35 In Review

Events Related

• Securitybyte CTF Walkthrough – securitylearn.wordpress.com
  SecurityByte is India’s largest hacking conference conducted in Bangalore. To make this event more interesting, they do arrange capture the flag events (Web & WI-FI hacking challenges).

Tools

• Ncrack and the Morto Worm
  Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients. Ncrack was designed using a modular approach, a command-line syntax similar to Nmap and a dynamic engine that can adapt its behaviour based on network feedback. It allows for rapid, yet reliable large-scale auditing of multiple hosts.
• Using ncrack to test for servers vuln to Morto worm – carnal0wnage.attackresearch.com
• Ncrack entry – nmap.org/ncrack/
• TrueCrypt 7.1 brings full Mac OS X Lion Support – h-online.com
  The TrueCrypt project has announced the arrival of version 7.1 of its open source, cross platform, disk encryption tool. TrueCrypt 7.1, the project’s first new stable release in nearly a year, is a maintenance update that adds full compatibility with 32- and 64-bit versions of Mac OS X 10.7 Lion. The developers note that several minor improvements and bug fixes affecting all supported platforms are also included; however, specific details have not been provided.

Techniques

• Bottom Up Randomization Saves Mandatory ASLR – blog.didierstevens.com
  I recently found out that pseudo-ASLR (or mandatory ASLR in EMET) has a lower entropy than real ASLR. While real ASLR has a 8-bit entropy for base addresses, mandatory ASLR turned out only to have about 4 bits of entropy, and the distribution was far from uniform. What I forgot to tell you in that post, is that I just enabled Mandatory ASLR as mitigation in EMET.
• TTCP and Later – gse-compliance.blogspot.com
  NetCat is a great and simple tool with many uses, but it has a number of limitations in being such a simple and generalised tool. A tool that allows for some more specialised uses of sockets and connection testing is TTCP or “Test TCP”.
• Heap Overflow For Humans 102 – net-ninja.net
  Initially I discussed techniques for exploiting heap overflows in older versions of Windows in an attempt to give the reader a practical working knowledge of how the unlink process works and how flink/blink from freelist
  [n] can be controlled to give an attacker an arbitrary write 4 primitive.
• Search windows open shares with python – travisaltman.com
  It’s rare during a penetration test that I actually exploit a vulnerability to gain more information. Newcomers to my filed will often use the term “network security”. I don’t care about the network, have the network for all I care. What I’m more concerned about is the information inside the network. The better way to describe it is “information security”.
• Viewing GPO’s on the Commandline – redspin.com
  Want a quick way to see what GPO’s are applied to your local system, just using built in utilities? Using the GUI to manually view what settings are applied is awkward and slow.  Use the following commands to see what policies are being handed down to the system you’re on and what they’re enforcing.  This info can be incredibly handy during a pentest in order to find out the limitations being imposed on a specific system you’ve compromised.
• SSL certificate impersonation…for shits and giggles – blog.c22.cc
  How often as penetration testers do we see SSL protected services using self signed certificates… If you’re anything like the average penetration tester, it’s probably daily. We’ve all been through the song and dance of documenting it, saying it’s bad and that it might have security consequences. I’m sure we’ve all heard every excuse under the sun as well when it comes to why it can’t be fixed. Costs too much, no internal PKI, takes too much time, and some of my favourites…
• Reverse Shell Cheat Sheet – pentestmonkey.net
  If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards you’ll probably want an interactive shell. If it’s not possible to add a new account / SSH key / .rhosts file and just log in, your next step is likely to be either trowing back a reverse shell or binding a shell to a TCP port.  This page deals with the former.

Other News

• Google SSL Mess
  I presume this is because DigiNotar has not explained how the Google certificate was signed and to prevent further abuse. This could cause issues for websites who have purchased certificates from DigiNotar. It remains to be seen whether other browsers will follow in Mozilla’s foot steps, but it may be prudent to remove DigiNotar from your trusted certificates until there is further clarification.
• Falsely Issue Google SSL Certificate In the Wild For More Than 5 Weeks – nakedsecurity.sophos.com
• Fraudulent* .google.com certificate – blog.mozilla.com
• Hackers acquire Google certificate, could hijack gmail accounts – computerworld.com
• Hackers May Have Stolen More Than 200 SSL Certificates – computerworld.com
• Google Certificate Hackers May Have Stolen 200 Others – wired.com
• Fake Google SSL Certificate – shiflett.org
• SSL Certificates: What’s Left To Trust – readwriteweb.com
• DigiNotar and the Breached Certificate Authority (CA)
  The latest breach at a certificate authority (CA) demonstrates how companies need to keep track of who their software is trusting so they won’t be vulnerable to a host of attacks enabled by false digital certificates.
• Breached CA Underscores Need To Examine Who You Trust – darkreading.com
• What You Need To Know About The DigiNotar Hack – threatpost.com
• Comodo, DigiNotar Attacks Expose Crumbling Foundation of CA System – threatpost.com
• Finding Which Root CAs You Actually Use – intrepidusgroup.com
• DigiNotar Removal Followup – blog.mozilla.com
• DigiNotar Breach – the story so far – isc.sans.edu
• DigiNotar Damage Disclosure – blog.torproject.org
• Pakistan To Ban Encryption Software – guardian.co.uk
  Millions of internet users in Pakistan will be unable to send emails and messages without fear of government snooping after authorities banned the use of encryption software. A legal notice sent to all internet providers (ISPs) by the Pakistan Telecommunications Authority, seen by the Guardian, orders the ISPs to inform authorities if any of their customers are using virtual private networks (VPNs) to browse the web.
• California Gets A Strengthened Breach Notification Law – emergentchaos.com
  Governor Brown of California has signed a strengthened breach notification bill, which amends Sections 1798.29 and 1798.82 of the California Civil Code in important ways. Previous versions had been repeatedly vetoed by Arnold Schwarzenegger.