Week 47 In Review

Events Related

• Source Barcelona 2011 Materials – blog.pentestify.com/source-barcelona-2011-materials
  Quick post to link our information from Source Barcelona 2011. @kernelsmith & i discussed alternative use cases for the Metasploit Framework. The presentation was shotgun / AHA! style, meaning we had a number of 5 minute mini-presentations within the larger 50 minute preso.
• DeepSec Diary – blog.c22.cc/2011/11/22/deepsec-2011-quick-roundup/
  The first day started off with the usual 6am start to get to Vienna in time for registration. I arrived a few minutes late for the keynote, but quickly got into the swing of things. The keynote (How Terrorists Encrypt) was a discussion of how terrorist organisations (mostly Al Qaeda and connected cells) use encryption to communicate.

Resources

• A Duqu Briefing – blog.opensecurityresearch.com
  The landscape of malware has drastically changed in the last few years. It has hardly been a year since the security community identified Stuxnet, which some believe was the most menacing malware in history… And now we have Duqu making the news. The Laboratory of Cryptography and System Security at Budapest University of Technology and Economics identified a worm on October 14th 2011 and named the threat Duqu
  [dyü-kyü] because it creates files with the name prefix “~DQ”.
• Ask Hacker And Security Gadfly Moxie Marlinspike – interviews.slashdot.org
  I’ve worked as a software engineer, hacker, sailor, captain, and shipwright. I’m currently a fellow at the Institute For Disruptive Studies, run a cloud-based password cracking service, and am a co-founder of Whisper Systems. I like computer security, particularly areas around secure protocols, cryptography, privacy, and anonymity. I have to admit that I’m more inspired by software engineers who become interested in computer security, rather than the other way around.

Tools

• UPDATE: NetworkMiner 1.2! – sourceforge.net/projects/networkminer/files/networkminer/
  NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network.
• UPDATE: John The Ripper v1.7.9! – download.openwall.net/pub/projects/john/1.7.8/
  John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. It supports several crypt(3) password hash types commonly found on Unix systems, as well as Windows LM hashes.
• sqlsus 0.7.1 Released – MySQL injection and takeover tool – sourceforge.net/projects/sqlsus/files/sqlsus/sqlsus-0.7.1.tgz/download
  sqlsus is an open source MySQL injection and takeover tool, written in perl. Via a command line interface, you can retrieve the database(s) structure, inject your own SQL queries (even complex ones), download files from the web server, crawl the website for writable directories, upload and control a backdoor, clone the database(s), and much more…Whenever relevant, sqlsus will mimic a MySQL console output.
• PowerSyringe – PowerShell-based Code/DLL Injection Utility – exploit-monday.com
  So I decided to expand upon my previous post and create a slightly more full-featured Powershell-based code/DLL injection utility. Behold, PowerSyringe. As the name implies, I based some of the code on the original Syringe toolkit.
• PMCMA tool resources and links – pmcma.org
  Pmcma is a tool aimed at determining if a given software bug is an exploitable vulnerability by automatically writting an exploit for it. Like every powerful tool made by human beings, it is double edged : it can be used for good or evil.
• VoIP Hopper 2.01 Released – IP Phone VLAN Hopping Tool – darknet.org.uk
  VoIP Hopper is a GPLv3 licensed security tool, written in C, that rapidly runs a VLAN Hop into the Voice VLAN on specific ethernet switches. VoIP Hopper does this by mimicking the behavior of an IP Phone, in Cisco, Avaya, and Nortel environments.
• WPScan 1.1. Released – ethicalhack3r.co.uk
  I am pleased to announce, after 5 months of work, that WPScan version 1.1 has been released!
• Windows Privesc Check – code.google.com
  Windows-privesc-check is standalone executable that runs on Windows systems (tested on XP, Windows 7 only so far). It tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases).

Techniques

• 802.bah – Beware the SiriSheep Attack! – rationalsurvivability.com
  On the heels of a French group reverse-engineering the Siri protocol by intercepting requests to the Internet-based server that Apple sends Siri requests to, Pete Lamonica, a first-time Ruby developer has produced another innovative hack.
• Hacking PLC From The Internet Part1.1 (Edited) – dsecrg.blogspot.com
  So many of you guys probably know that SCADA systems can be found in the internet. It is not so hard. You just need to know google or shodanhq search strings. But what is more important is that PLC devices that must be much more secured from the outside than SCADA are also available from the internet!
• Oracle Web Hacking Part II – ethicalhacker.net
  In Part 2 of 3 of this ongoing series of columns, I’ll dive into attacking the Oracle Application Server Portal (OracleAS Portal).  I’ll focus on Oracle 9i and 10g up to Release 2.  With 11g (10.3.x) Oracle moved to Weblogic, and it’s completely different and therefore out of the scope of this series.  But there are plenty of shops out there still using 9i and 10g, which gives us plenty of opportunity for breaking stuff.  So, let’s get to it.
• SCADA Hacks Published On Pastebin – isc.sans.edu
  pastebin.com has become a simple platform to publish evidence of various attacks. Lenny a few months back already noted that it may be useful for organizations to occasionally search pastebin for data leakage. Recently, an individual using the alias of pr0f published evidence of attacking the South Houston water system.
• Quick Tip: Pastebin Monitoring & Recon – isc.sans.edu
  One reader wrote in to say that you could use Google Alerts to monitor Pastebin for names and keywords of interest to you, but you may prefer a Google Custom Search instead. Configure it to monitor Pastebin and other similar sites; set names and keywords that are relevant for your needs.

Vulnerabilities

• Mass Disclosure of Vulnerabilities In SAP From ERPScan Specialists – erpscan.com
  This month ERPScan specialists published 8 vulnerabilities of different criticality, found in SAP products.   Vulnerabilities representing almost all risks from the OWASP Top 10: from path traversal and XSS to authorization bypass and code injection – were published on ERPScan.com.

Other News

• Hacker Says Texas Town Used Three Character Password To Secure Internet Facing SCADA System – threatpost.com
  The hacker, using the handle “pr0f” took credit for a remote compromise of supervisory control and data acquisition (SCADA) systems used by South Houston, a community in Harris County, Texas.
• Mobile ‘Rootkit’ Maker Tries To Silence Critical Android Dev – wired.com
  A data-logging software company is seeking to squash an Android developer’s critical research into its software that is secretly installed on millions of phones, but Trevor Eckhart is refusing to publicly apologize for his research and remove the company’s training manuals from his website.