Week 37 In Review

Events Related

• Crack Me If You Can DefCon 2011 Insidepro team – contest.korelogic.com
  First of all, I must say that this year’s contest was a big improvement over last year. Not that last year was boring, far from that, but the feedbacks given last year were well understood and rectified this year. The weighted points depending on the hashing algorithm made much more sense. The bonuses and the challenges added a lot more spice and need for strategies.
• Rootcon 5: A Summary – sunbeltblog.blogspot.com
  I’m not saying all of my trips go horribly wrong, but exploding toilets, 1984 style televisions, badges that make no sense, surprises in alleyways and emergency fuel dumps could perhaps convince you otherwise. You’ll be pleased to know Rootcon 5 went off without a hitch (well, besides the earthquake drill, the eleven hours at Guangzhou airport and the lady with the foot in her face) and a great time was had by all.

Tools

• XCat: Exploit Boolean XPath Injections! – github.com/orf/xcat/downloads
  Prior to getting acquainted with XCat, let’s know what an XPath Injection actually is. XPath is a language for addressing parts of an XML document, designed to be used by both XSLT and XPointer.
• Multiple Dictionaries or Wordlists Using John The Ripper – room362.com
  John the ripper only takes one word list at a time. There are plenty of docs out there that show you how to cat all of your dictionaries into John’s stdin function but I like to run rules against my lists and I didn’t see any how-tos on doing this. Here is my way.
• UPDATE: BeEF v0.4.2.9 alpha! – code.google.com/p/list/downloads/list
  BeEF, the Browser Exploitation Framework is a professional security tool provided for lawful research and testing purposes. It allows the experienced penetration tester or system administrator additional attack vectors when assessing the posture of a target. The user of BeEF will control which browser will launch which exploit and at which target.
• UPDATE: NetworkMiner 1.1! – sourceforge.net/projects/networkminer/files/networkminer
  NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files
• UPDATE: BodgeIT v1.2.0!– code.google.com/p/bodgeit/download/list
  The BodgeIt Store is a vulnerable web application which is currently aimed at people who are new to pen testing.
• Lilith Web Application Security Tool – darknet.org.uk
  LiLith is a tool written in Perl to audit web applications. This tool analyses webpages and looks for html form tags , which often refer to dynamic pages that might be subject to SQL injection or other flaws. It works as an ordinary spider and analyses pages, following hyperlinks, injecting special characters that have a special meaning to any underlying platform.
• Open Source Tool Enables Security Tests For Chip Cards – h-online.com
  At this year’s Black Hat Conference, crypto expert Karsten Nohl of SRLabsdemonstrated the degate tool that can be used to take a closer look at applications stored on smartcards, such as credit cards and SIM cards.

Techniques

• Remote Windows SAM retrieval with VBScript – ox90.co.uk
  There’s no denying that PSExec and FGDump are useful tools on a infrastructure penetration test. FGDump is a problem however, in the fact that it needs to inject into a running process (lsass.dll) and therefore is often blocked by antivirus.
• DB2 SQL Injection: Select With Nth Row Without Cursors – pentesterconfessions.blogspot.com
  Well I’ve looked all over the net for this solution and I could not find the answer so after much trial an error I was able to build my own solution. Lets say you need to query one row at a time from DB2 and you cannot use cursors and specifically you need to query sysibm.systables. I came up with this solution and there may be a more elegant way but this worked.
• Reverse Shell One Liners – bernardodamerle.blogspot.com
  Inspired by the great blog post by pentestmonkey.net, I put together the following extra methods and alternatives for some methods explained in the cheat sheet. There is nothing cutting edge, however you may find this handy during your penetration tests.
• Pentesting WP7 Apps Part 1 – intrepidusgroup.com
  With over 30,000 apps in the marketplace within a year of launch, Microsoft’s Windows Phone 7 platform seems to grabbing consumer attention slowly but steadily. Though the installed user base is nowhere close to that of Android or iOS, Gartner’s predictions notwithstanding, in the last few months we’ve seen an increasing interest from companies on this new mobile platform.
• Who is Logged In? A Quick Way To Pick Your Targets – room362.com
  Say you go for the 500+ shells on an internal test or your phishing exersice goes way better than you thought. Well you need to get your bearings quickly and going into each shell and doing a ps, then looking through the list for all the users logged in is a bit of a pain and defintely not ideal.
• Exploiting The WordpPress Extension Repos – spareclockcycles.org
  Today’s post is kind of long, so I thought I should warn you in advance by adding an additional paragraph for you to read. I also wanted to provide download links for those who’d rather just read the code. It isn’t the cleanest code in the world, so I apologize in advance. I discuss what all of these are for and how they work later on in the post, so if you’re confused and/or curious, read on.

Vendor/Software Patches

• Adobe Closes 14 Holes In Reader and Acrobat – h-online.com
  Adobe has released new versions of Reader and Acrobat to close several critical security holes. Versions 10.x, 9.x and 8.x of both products for Windows, Linux and Mac are affected. Adobe recommends that Reader X and Acrobat X users update to version 10.1.1 as this version offers added protection under Windows through its sandbox.

Other News

• Certificate hacker probably paid by Iran, say victimized firms – computerworld.com
  The CEO of a certificate-issuing company that was hacked in March is even more certain now that a wave of attacks against similar firms is backed by the Iranian government.
• U.S. Agencies Making Progress In Cybercrime – computerworld.com
  U.S. government agencies are getting better at sharing information about cyberattacks with private companies, but cybercrime shows no signs of slowing down, cybersecurity experts told lawmakers Wednesday.
• Seven Ways You Give Thieves Dibs On Your Database – darkreading.com
  Every new data breach that hits the headlines snowballs the embarrassment for the IT security community, especially because this constant follies show revolves around recurring themes.
• U.S. and Australia to add cyber-realm in defense pact – news.cnet.com
  Cyberattacks are about to carry even more weight, with the United States and Australia expected to include them in a mutual defense treaty.The two nations will declare the cyber realm to be part of the 60-year-old treaty tomorrow, Reuters reports. The inclusion will mean that a cyberattack on one country could lead to a response by both.
• Italian Researcher Finds More SCADA Holes – news.cnet.com
  An Italian researcher has uncovered at least a dozen security flaws in software used in utilities and other critical infrastructure systems, prompting security advisories from the U.S. government.