Week 44 In Review

Events Related

• Mobile Security Summit 2011 – sensepost.com
  This week, Charl van der Walt and I (Saurabh) spoke at Mobile Security Summit organized by IIR. Charl was the keynote speaker and presented his insight on the impact of the adoption of mobile devices throughout Africa and the subsequent rise of security related risks.

Resources

• SAP Direct browsing URLS for Pentesting – secuirtyaegis.com
  Files archive and directory.
• Anatomy of A Pass Back Attack – foofus.net
  At Defcon 19 during my presentation we discussed a new attack method against printers. This attack method involved tricking the printer into passing LDAP or SMB credential back to attacker in plain text. We refer to this attack as a Pass-Back-Attack .
• Show Me Your DNS Logs, I’ll Learn About You! – blog.rootshell.be
  During the last BruCON edition, we operated our own DNS resolver. Instead of using public servers or the ones proposed by our ISP, pushing our own DNS resolver to network visitors can be really interesting. Of course, addicted to logs, I activated the “queries_log” feature of bind to log every requests performed by BruCON visitors.
• Homemade Hardware Keylogger/PHUKD Hybrid – irongeek.com
  The core goal of this project is to develop the code, circuitry and instructions necessary for building a hardware keylogger that is also a Programmable HID and key repeater with inexpensive hardware. Hardware keyloggers vary in price from around $33 to several hundred dollars. While I doubt I’ll be able to match the price of the very low end, I hope to be able to put together something that is inexpensive and flexible.
• Windows Shares – blog.ncircle.com
  All Windows shares come from this registry key during the boot procedure, which means it controls which directories you will share with others and how they will be shared. Furthermore, it doesn’t mean the change in the registry will be applied to the system instantly. It needs a reboot to make it work.
• Intro to HDMoore’s Law – cognitivedissidents.wordpress.com
  HDMoore’s Law concept came to me after a year of me asking “Is PCI the ‘No Child Left Behind Act’ for IT Security?” and subsequently my intuitive allergy to the following two pervasive, thought terminating clichés / platitudes… perhaps you’ve also heard them.

Tools

• SecTools.Org: Top 125 Security Network Tools –  sectools.org
  For more than a decade, the Nmap Project has been cataloguing the network security community’s favorite tools. In 2011 this site became much more dynamic, offering ratings, reviews, searching, sorting, and a new tool suggestion form.
• Netsurveyor – nutsaboutnets.com
  NetSurveyor is an 802.11 (WiFi) network discovery tool that gathers information about nearby wireless access points in real time and displays it in useful ways.  Similar in purpose to NetStumbler, it includes many more features.
• UPDATE: OWASP Mantra c0c0n 11 and AppSecLatam 11 release! – http://sourceforge.net/projects/getmantra/files/
  Mantra is a collection of free and open source tools integrated into a web browser, which can become handy for students, penetration testers, web application developers,security professionals etc. It is portable, ready-to-run, compact and follows the true spirit of free and open source software.
• Android Reverse Engineering Virtual Machine available for download now! – honeynet.org
  Do you need to analyze a piece of Android malware, but dont have all your analysis tools at hand? The Android Reverse Engineering (A.R.E.) Virtual Machine, put together by Anthony Desnos from our French chapter, is here to help. A.R.E. combines the latest Android malware analysis tools in a readily accessible toolbox.
• Registry Decoder 1.1. Released! – digitalforensicssolutions.com/registrydecoder/
  Digital Forensics Solutions is announcing the release of Registry Decoder 1.1, which has many completely new features and updates as well as bugfixes! Please see our previous blog post here for the initial release of Registry Decoder.
• sqlsus v0.7 Released – sqlsus.sourceforge.net/download.html
  sqlsus is an open source MySQL injection and takeover tool, written in perl. Via a command line interface, you can retrieve the database(s) structure, inject your own SQL queries (even complex ones), download files from the web server, crawl the website for writable directories, upload and control a backdoor, clone the database(s), and much more.
• Cvss2Calc – woanware.co.uk/downloads/Cvss2Calc.v.1.0.0.zip
  The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. CVSS consists of 3 groups: Base, Temporal and Environmental. Each group produces a numeric score ranging from 0 to 10, and a Vector, a compressed textual representation that reflects the values used to derive the score.
• UPDATE: JavaSnoop 1.1 RC1! – code.google.com/p/javasnoop/downloads/list
  JavaSnoop is a tool that lets you intercept methods, alter data and otherwise hack Java applications running on your computer. It does so by allowing you attach to an existing process and instantly begin tampering with method calls, run custom code, or just watch what’s happening on the system.
• Safely Dumping Hashes From Live Domain Controllers – pauldotcom.com
  The basis of the talk and the purpose for our research is that there are some really cool things you can do with Volume Shadow Copies in modern Windows Operating Systems. Our talk takes the approach of using Shadow Copies for hiding malware on Windows systems, but Mark mentions during the talk how one can access protected system files through Shadow Copies as well.
• iSEC Partners Releases SSLyze to test your TLS and/or SSL setup – professionalsecuritytesters.org
  Transport Layer Security (TLS) and the Secure Socket Layer commonly called SSL, is one of the most widely used protocols to secure network communications. As costs fall and user security and privacy expectations rise companies are deploying it more widely every year. Attacks against the CA system, SSL implementation flaws and aging protocol versions have grabbed news headlines, bringing attention to weak configurations, and the need to avoid them.

Techniques

• Hacking Oracle From The Web: Part 2 – penetration-testing.7safe.com
  This paper examines new techniques to execute multiple statements via SQL Injection. No special privileges are needed to use these techniques and they work for all versions of Oracle Database from Oracle 9i to 11g R2. The paper specifically outlines how to achieve privilege escalation and OS code execution when exploiting SQL Injection vulnerability in a web app which in-turns connect to an Oracle database.
• Making Blind SQL More Efficient – pen-testing.sans.org
  Look at this DATABASE filled with glamorous merchandise and fabulous prices just waiting to be extracted on WHEEL OF FORTUNE. What, did you hear that differently than I did? How can the wheel of fortune be used to extract data from a database? The player that knows the statistical probability of characters appearing around other characters will win on Wheel of Fortune.
• Firewall Policy Creation In Group Policy – gse-cpmpliance.blogspot.com
  Tonight we are going to start by looking at creating an IPSec tunnel in Windows  Server. This will allow us to enforce authentication and connection rules between hosts and to ensure that our systems cannot be intercepted (at least not easily).
• How To Pull Passwords From A Memory Dump – cyberarms.wordpress.com
  The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. CVSS consists of 3 groups: Base, Temporal and Environmental. Each group produces a numeric score ranging from 0 to 10, and a Vector, a compressed textual representation that reflects the values used to derive the score.
• Damn Small XSS Scanner – unconsciousmind.blogspot.com
  Damn Small XSS Scanner (DSXS) is a fully functional XSS scanner (supporting GET and POST parameters) written in under 100 lines of code. As of optional settings it supports HTTP proxy together with HTTP header values “User-Agent”, “Referer” and “Cookie”.
• Standalone Exploits Suck – community.rapid7.com
  There are many reasons why writing Metasploit exploit modules and submitting them to the Metasploit framework is a good idea. You’re not only going to help the community / professionals, but it will force you to think about various aspects of writing exploits and that should result in a better exploit.

Vendor/Software Patches

•  Wireshark updates: 1.6.3 and 1.4.10 released – www.wireshark.org
  Wireshark has released 1.6.3 (stable) and 1.4.10 (old stable) to address vulnerabilities and bug fixes.

Vulnerabilities

• Worth Reading: WOP protection in Windows 8 Bypassed – h-online.com
  Windows 8 offers a range of new protection mechanisms that are designed to hamper the efforts of exploit authors. However, shortly after the release of the Windows 8 Developer Preview, a way to circumvent one of these new obstacles has already been found.
• Microsoft Excel 2007 SP2 Buffer Overwrite Vulnerability/Exploit (MS11-021) – abysssec.com
  A remote code execution vulnerability exists in the way that Microsoft Excel handles specially crafted Excel files.An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
• CG’s Shared Items From Google Reader – carnal0wnage.attackresearch.com
  After testing a fair number of mobile applications I thought I would share 3 of the most common vulnerabilities I’ve come across thus far. In regards to scope, when referring to “mobile applications”, we really mean both the mobile application and the web-service.
• Hackers ‘Timthumb’ their noses at vulnerability to compromise 1.2 million sites – darkreading.com
  A vulnerability in an obscure WordPress add-on script that was discovered in August is currently being used to compromise more than 1.2 million websites — and could be easily used to siphon data out of databases hosted on servers also hosting the compromised websites, security experts warned today.

Other News

• Windows kernel and Duqu
  The mysterious Duqu malware attack exploited a zero-day vulnerability in the Windows kernel, according to security researchers tracking the Stuxnet-like cyber-surveillance Trojan.
• Zero day Windows kernel bug used in Duqu infections – news.cnet.com
• Windows kernel ‘zero-day’ found in Duqu attack – zdnet.com
• Duqu: Status Update Including Installer With Zero Day Exploit Found – symantec.com
• Microsoft issues temporary ‘fix-it’ for Duqu zero-day – zdnet.com
• New Open Source Tool Scans For Duqu Drivers – securityweek.com
• Facebook data harvesting
  The 102 “socialbots” researchers released onto the social network included a name and profile picture of a fictitious Facebook user and were capable of posting messages and sending friend requests. They then used these bots to send friend requests to 5,053 randomly selected Facebook users.
• ‘Socialbots’ steal 250GB of user data in Facebook invasion – news.cnet.com
• Facebook easily infiltrated by data-harvesting bots, researchers find – computerworld.com
• Nitro hackers use stock malware to steal chemical, defense secrets – computerworld.com
  Attackers used an off-the-shelf Trojan horse to sniff out secrets from nearly 50 companies, many of them in the chemical and defense industries, Symantec researchers said today.
• Nearly A Third of Execs Say Rogue Mobile Devices Are Linked To Their Networks – darkreading.com
  Organizations are concerned about the dangers posed by unauthorized mobile devices, according to a study published last week, but many aren’t sure what’s being done about it.
• China A Minimal Cyber security Threat – computerworld.com.au
  According to Ball, China had carried out a number of high-profile and successful hacks, denial of service attacks and website defacements in recent years. However, its offensive cyber-warfare capabilities were “fairly rudimentary.”
• Thoughts On Metasploit’s Impact – anti-virus-rants.blogspot.com
  I listened to the network security podcast #257 this afternoon, specifically because i wanted to hear what martin mckeay, josh corman, and hd moore had to say about metasploit and what josh corman calls HD Moore’s Law. there were a lot of mentions of PCI and being ‘this tall to ride the internet’, but the comment that really caught my ear (i was listening to it rather than reading it after all) was that metasploit allows people to test their security against the attacks that are readily available.