Week 51 In Review

Resources

• OWASP Risk Assessment Calculator – paradoslabs.nl
• Congress Authorizes Offensive Use of Cyberwarfare – fas.org
  Historic document via Federation of American Scientists “… Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, Allies and interests, subject to–“

Tools

• UPDATE: RainbowCrack 1.5! – project-rainbowcrack.com/index.htm#download
  RainbowCrack uses time-memory tradeoff algorithm to crack hashes. It differs from the hash crackers that use brute force algorithm. RainbowCrack is a general propose implementation of Philippe Oechslin’s faster time-memory trade-off technique. It crack hashes with rainbow tables.
• UPDATE: WeBaCoo 0.2! – github.com/anestisb/WeBaCoo/zipball/master
  The WeBaCoo (Web Backdoor Cookie) script-kit is a tiny stealth PHP backdoor that is capable to provide a “pseudo”-terminal connection on a remote web server injected with a chunk of malicious PHP code. It does so by sending the server’s command output using the HTTP response headers. It sends shell commands hidden in Cookie headers obfuscated with base64 encoding and the output is transmitted back to client hidden (base64 encoded too) in Cookie headers after execution.
• No-permission Android App Gives Remote Shell – viaforensics.com
  I have been working at viaForensics as the Director of R&D for about 5 months now, and in that time I’ve been involved in some exciting research projects. I haven’t had the opportunity to blog on our company site yet so I thought I’d take a little time out and record a video to demonstrate an Android issue that is of interest to many of our clients.
• windows-privesc-check – pentestmonkey.net
  A long time ago, I started writing a tool to look for local privilege escalation vectors on Windows systems – e.g. weak permissions on files, directories, service registy keys.  I never quite got round to finishing it, but the project could still be useful to pentesters and auditors in its current part-finished state.
• Findbugs v2 released – findbugs.sourceforge.net/downloads.html
  FindBugs uses static analysis to inspect Java bytecode for occurrences of bug patterns.  Static analysis means that FindBugs can find bugs by simply inspecting a program’s code: executing the program is not necessary.  This makes FindBugs very easy to use: in general, you should be able to use it to look for bugs in your code within a few minutes of downloading it.

Techniques

• Guide To Dumping Windows Password Hashes (cont’d)
  Generally, dumping operating system users’ password hashes is a common action following a compromise of a machine: getting access to the password hashes might open the doors to a variety of attacks including, but not limited to, authenticate with the hash over SMB to other systems where passwords are reused, password policy analysis and pattern recognition, password cracking, etc.
• Dump Windows Password Hashes Efficiently – Part 3 – bernardodamele.blogspot.com
• Dump Windows Password Hashes Efficiently – Part 4 – bernardodamele.blogspot.com
• Dump Windows Password Hashes Efficiently – Part 5 – bernardodamele.blogspot.com
• KARMETASPLOIT, Pwning the Air! – resources.infosecinstitute.com
  Wireless networks have become very common in today’s world, people are used to be connected to wireless networks in office, home, coffee shops etc. In order to facilitate the process of connecting to the wireless network, most of the operating systems often remember the previous networks connected to (often stored in Preferred Networks List) and send continuous probes looking for these networks.
• tcpdump fu – rootsec.blogspot.com
  Packet capture is one of the most fundamental and powerful ways to do network analysis. You can learn virtually anything about what is going on within a network by intercepting and examining the raw data that crosses it. Modern network analysis tools are able to capture, interpret and describe this network traffic in a human-friendly manner.
• Insecure Object Mapping – carnal0wnage.attackresearch.com
  Over the last two cycles of OWASP top 10, insecure direct object reference has been included as major security risk. An object reference is exposed and people can manipulate that to access other objects they aren’t supposed to. But an apparently lesser-known problem is when the object itself is directly exposed. This happens when an object maps user-controlled form data directly to it’s properties with out validation.
• PSExec Scanner Auxiliary Module – darkoperator.com
  Some time ago I was talking with Martin Bos also know as @pure_hate one of the members of the Backtrack Development team and a Pentester and he mentioned that he would love to have a better way of using the psexec module that is already part on the framework in an easier way than using resource scripts which he had to modify and play with for each engagement.
• Secondary Shell Using Scripting Environment On Target – darkoperator.com
  After writing the payload inject module for Windows I was looking thru my Twitter feed and saw a tweet from Chris John Riley on the PentestMonkey website where he has a cheat sheet that shows how to use a targets scripting environment to create a reverse shell in one line executing with the code as an argument so that nothing is actually written to disk and the session resides in memory.
• Pen test and hack Microsoft sql server (mssql) – travisaltman.com
  All the information I’m about to go over is nothing new, I’m just trying to organize all my notes on pen testing mssql. Hopefully my notes will help others. All the commands and instructions are Linux based so keep that in mind.
• Cross Origin Resource Jacking – sheeraj.blogspot.com
  CSRF and UI Redressing (Click/Tab/Event Jacking) attack vectors are popular ways to abuse cross domain HTTP calls and events. HTML5, Web 2.0 and RIA (Flash/Silverlight) applications are loaded in browser with native state or using plug-ins. DOM used to be an integral part of the browser and now it is becoming even more important aspect with reference to web applications.

Other News

• Typosquatter hive targets holiday shoppers – itknowledgeexchange.techtarget.com
  With the hassle of finding the best deal and coping with the constant crowds, online shopping has never been more popular for the holiday season. But with that ease comes a warning from Websense: keep an eye out for online scams, particularly typosquatted sites.
• Does iOS encryption work, and does it protect all device data from being stolen? – viaforensics.com
  Technically iOS encryption does work – the data-at-rest on the device is encrypted using a hardware encryption chip (since iOS 4 and 3GS). It implements per-file keys that make deleted data recovery very difficult, and enables near “instant wipe” by deleting these keys.
• How secure is the iOS keychain? – viaforensics.com
  The keychain is a central database in iOS where credentials and sensitive data are stored by default apps such as Mail, other apps, and the Safari browser. The security provided by the keychain is now limited because techniques exist which cause iOS to decrypt it, or recover its contents from a backup file.
• How hackers gave Subway a $3 million lesson in point-of-sale security – arstechnica.com
  For thousands of customers of Subway restaurants around the US over the past few years, paying for their $5 footlong sub was a ticket to having their credit card data stolen. In a scheme dating back at least to 2008, a band of Romanian hackers is alleged to have stolen payment card data from the point-of-sale (POS) systems of hundreds of small businesses, including more than 150 Subway restaurant franchises and at least 50 other small retailers.
• ‘Anonymous’ hackers target US security think tank – yahoo.com
  The loose-knit hacking movement “Anonymous” claimed Sunday to have stolen thousands of credit card numbers and other personal information belonging to clients of U.S.-based security think tank Stratfor. One hacker said the goal was to pilfer funds from individuals’ accounts to give away as Christmas donations, and some victims confirmed unauthorized transactions linked to their credit cards.