Week 42 in Review – 2012

Event Related

  • Ruxcon Breakpoint
  • OMFW 2012
    • OMFW 2012: The Analysis of Process Token Privileges – volatility-labs.blogspot.com
      Reverse engineering windows systems nowadays involves looking at static data, such as executables, symbols, pdbs, and/or dynamic data when debugging with a tool like windbg. Determining data structures and the meaning of their content has proven to be time consuming, especially when dealing with undocumented objects.
    • OMFW 2012: Mining the PFN Database for Malware Artifacts – volatility-labs.blogspot.com
      This OMFW talk was enlightening, as George shared stories of tracking single UDP packets between hosts in China, his experiences single-stepping through the Windows kernel, and how he tracked a TDI object with an NTFS pool tag in deallocated memory.
  • HackerCon 3
    • Hack3rcon 3 Videos – irongeek.com
      Here are the videos from Hack3rcon^3. Enjoy.
    • DNSRecon from Hack3rCon 3 – novainfosec.com
      At HackerCon today I had a chance to sit in on Carlos “@carlos_perez” Perez’s DNSRecon talk. This awesome tool brings together all the tips and tricks that Carlos has learned and used over the years into one easy-to-use package.
  • Hack In The Box 2012 Malaysia: Like No Other – zdnet.com
    Controversial Global hacking conference Hack In The Box just celebrated its ten-year mark in Kuala Lumpur, Malaysia. The event attracted hackers from all over the world and company participants that included Google, Mozilla, Microsoft, Amazon, sponsor ‘friends’ such as Megaupload, and many more.
  • Group Policy Preferences and Getting Your Domain 0wned – carnal0wnage.attackresearch.com
    I did a talk at the Oct 20012 NovaHackers meeting on exploiting 2008 Group Policy Preferences (GPP) and how they can be used to set local users and passwords via group policy.
  • ICSJWG in Review – digitalbond.com
    The ICSJWG meeting was this past week in Denver, and the schedule was packed with great presentations, and speakers with a wealth of experience to share with the ICS community. There was a significant bump in attendance this time around.
  • Toorcon14 – always-debugged.never-unpacked.net
    Links for Toorcon 14
  • Information Superiority – vrt-blog.snort.org
    I presented yesterday at the 9th annual Hackers2Hackers conference in Sao Paulo on the subject of information superiority, a subject the VRT has long been fond of. My slides are here for those who’d like to read them.


  • Pass the Hash w/o Metasploit – Part 2 – room362.com
    Anywho, I was once in a similar scenario, where I had no Metasploit to back me up, but the box I was on did have one interesting thing, ruby and an accessible target for relatively up-to-date ruby gems. Since Metasploit’s powerhouse library ‘rex’ installed just fine I was set.
  • The Scrap Value of a Hacked PC, Revisited – krebsonsecurity.com
    I recently updated the graphic (below) to include some of the increasingly prevalent malicious uses for hacked PCs, including hostage attacks — such as ransomware — and reputation hijacking on social networking forums.
  • More with Mimikatz (Crypto Module) – carnal0wnage.attackresearch.com
    The Crypto module does some interesting things. I briefly talked about stealing certificates at DerbyCon. the crypto module helps you do this.
  • miniFlame aka SPE: “Elvis and his friends” – securelist.com
    In May 2012, a Kaspersky Lab investigation detected a new nation-state cyber-espionage malware, which we named “Flame”. Our research also identified some distinguishing features of Flame’s modules. Based on those features, we discovered that in 2009, the first variant of the Stuxnet worm included a module that was created based on the Flame platform.
  • Steam Browser Protocol University – revuln.com
    In this paper we will uncover and demonstrate a novel and interesting way to convert local bugs and features in remotely exploitable security vulnerabilities by usin the well known Steam platform as attack vector against remote systems.
  • Before We Knew It – users.ece.cmu.edu
    An empirical study of zero-day attacks in the real world.
  • Backdoors are Forever: Hacking Team and the Targeting of Dissent? – citizenlab.org
    In this report, Citizen Lab Security Researcher Morgan Marquis-Boire describes analysis performed on malicious software used to compromise a high profile dissident residing in the United Arab Emirates.
  • Olmasco bootkit: next circle of TDL4 evolution (or not?) – blog.eset.com
    Olmasco (also known as SST, MaxSS) is a modification of the TDL4 bootkit family that we’ve been aware of since summer 2011. We started to track a new wave of activity from a new Olmasco dropper at the end of this summer. This bootkit family was the second to use VBR (Volume Boot Record) infection to bypass kernel-mode code signing policy since Rovnix (Rovnix bootkit framework updated) appeared in-the-wild.
  • Virus Share – virusshare.com
    Another torrent of 26.54GB of #malware samples has been added to the tracker!


  • Hands-on: Securing iOS, pwning your kids with Apple Configurator 1.2 – arstechnica.com
    Apple recently released the latest version of Configurator, the company’s management software for iOS devices, for download in the Mac App Store. Configurator version 1.2 is intended to give organizations a way to mass-configure iPads, iPhones, and even iPods with applications, settings, and security policies.
  • Pentest Scripts: Verifying NTP Reserved Mode Denial of Service – blog.opensecurityresearch.com
    I recently needed to check a NTP Reserved Mode Denial of Service vulnerability CVE-2009-3563, but without causing the DoS condition on the production server. The issue comes up when one NTP daemon queries another with the MODE_PRIVATE flag set.
  • Extracting data protection class from files on iOS – securitylearn.net
    On iOS, every file is encrypted with an unique encryption key as illustrated in the image. The content of a file is encrypted with a per-file key, which is wrapped with a class key (data protection class key) and stored in a file’s metadata, which is in turn encrypted with the file system key (EMF key). The file system key is generated from the hardware UID. UID is unique per device and it is embedded in hardware and inaccessible to code running on CPU.
  • Sidestepping Microsoft SQL Server Authentication – blog.securestate.com
    While we, as penetration testers, love compromising systems during assessments, we all know the most important portion of a penetration test is actually getting access to critical data and systems. So, post exploitation, I generally head for the database servers. However, depending on the permissions model of the target database, there may still be another hurdle to bypass.
  • Setting System’s Proxy Settings with Metasploit – room362.com
    One of the great things about the reverse_http(s) payloads is that it is proxy aware. However one of the pitfalls to this is that SYSTEM doesn’t have proxy settings, nor do users who have never logged into a system (unless profile loading is triggered).


  • ThreatModeler 2.1 – myappsecurity.com
    MyAppSecurity is proud to release ThreatModeler™ 2.1. Packed with several in-demand features to easily manage threats and measure the state of security at an organization, this new release comes updated with mobile application threats mapped to their corresponding security controls to mitigate mobile application risks at your organization.
  • Ettercap 0.7.5 Assimilation – sourceforge.net
    Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.
  • The VLAN Hopper – commonexploits.com
    Frogger is a simple, open source bash script, that automates the process of VLAN enumerating and hopping end to end with interactive menus, leveraging tools already made for the process. This is it does within the Dynamic Trunking Protocol (DTP) and is mostly targeted towards Cisco devices.
  • rfcat – code.google.com
    RF ChipCon-based Attack Toolset
  • Eagleeye – github.com
    In the future I can see it being useful as an internal tool for people or shops that have tens of thousands of hosts that devs sort of do ‘whatever they want’ on, and there needs to be some accountability by the security team (like how many naked jboss or tomcat installs are there with default creds?)
  • The Pillager 0.7 Release – console-cowboys.blogspot.com
    For now check out Version 0.7.. Named searches and Data searches via external config files are now functioning properly as well as other bugs fixed along the way…

Vendor/Software Patches

  • iOS 6
    • 6 Reasons iOS 6 Jailbreaks Will Be Tough – informationweek.com
      Jailbreaking your iPhone is now legal in the United States, even if Apple has historically discouraged the process. With Apple’s release last month of iOS 6, iPhone hackers have, of course, set their sites on jailbreaking the new OS.
    • A lesser-known new feature in iOS 6: It’s tracking you everywhere – theregister.co.uk
      Apple has enabled user tracking of its customers once again, with the recently released iOS 6 enabling advertisers to see which apps users have run, and which adverts they’ve seen – all for the benefit of the users, of course.
  • Oracle Patch Update to Include 109 Patches – threatpost.com
    Buckle up Oracle administrators for 109 patches coming your way tomorrow. Oracle’s quarterly Critical Patch Update is due, and the company is releasing fixes for security vulnerabilities across most of its enterprise products, addressing a host of remotely exploitable flaws.
  • CVE-2012-5159 phpMyAdmin server_sync.php Backdoor Metasploit Demo – eromang.zataz.com
    This module exploits an arbitrary code execution backdoor placed into phpMyAdmin v3.5.2.2 thorugh a compromised SourceForge mirror.
  • Critical Java Patch Plugs 30 Security Holes – krebsonsecurity.com
    The latest versions, Java 7 Update 9 and Java 6 Update 37, are available either through the updater built into Java (accessible from the Windows control panel), or by visiting Java.com.
  • Adobe Reader and Acrobat get another layer of security – arstechnica.com
    Adobe announced new security features this week for its Reader and Acrobat XI products, including enhanced sandboxing, Force ASLR, PDF whitelisting, and Elliptic Curve Cryptography. In addition to a number of new features enhancing Reader’s and Acrobat’s PDF-creation capabilities, these security measures add another layer atop previous changes that have improved a once “widely exploited” app over the past two years.
  • Apple Makes OS X Safer By Removing Java – forbes.com
    Apple has taken another step towards making OS X safer on the web. An update released on Wednesday sees the Java plugin removed from all Mac-compatible browsers installed on the system.


  • Encryption found insufficient in many Android apps – h-online.com
    Researchers have discovered catastrophic conditions when analysing Android applications that use encryption: more than 1,000 of the 13,500 most popular Android apps showed signs of a flawed and insecure implementation of the SSL/TLS encryption protocol.

Other News

One Comment

  1. […] crackWhitelist-Datenbank von KASPERSKY lab verwaltet bereits mehr als 500 Millionen einzelne DateienWeek 42 in Review – 2012 #igit_rpwt_css { background:#FFFFFF;font-size:12px; font-style:normal; color:#000000 !important; […]

Leave A Comment