Week 5 in Review – 2013

Event Related

• Pentest & Reverse: iOS Application Hacking – esec-pentest.sogeti.com

  Last month, we gave some lectures about iOS application Hacking first at GreHack (Grenoble, France) and then at Hack.Lu (Luxembourg, Luxembourg). Here you will find the slides and the paper. Don’t hesitate to send us your questions.

Resources

• The Red team Mindset Course Part 1 (PDF) – redteams.net

  This is the first part (2 hours) of a Red Team Mindset Course that I gave to a group. I am trying to find a good venue to do it for the open public.

• Android Application Assessment – resources.infosecinstitute.com

  Android is developed by Google and is a Linux based platform. It uses its own virtual machine called Dalvik Virtual Machine (DVM) to run .dex files, which is very similar to .class files of Java. This paper discusses the assessment on a Windows machine.

• What The Rails Security Issue Means For Your Startup – kalzumeus.com

  January has been a very bad month for Ruby on Rails developers, with two high-severity security bugs permitting remote code execution found in the framework and a separate-but-related compromise on rubygems.org, a community resource which virtually all Ruby on Rails developers sit downstream of.

• Introduction to WMI Basics with PowerShell Part 1 – darkoperator.com

  WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), with some enhancements in the initial version of it, WBEM is a industry initiative to develop a standard technology for accessing management information in an enterprise environment that covers not only Windows but also many other types of devices like routers, switches, storage arrays …etc. WMI uses the Common Information Model (CIM) industry standard to represent systems, applications, networks, devices, and other managed components. CIM is developed and maintained by the Distributed Management Task Force (DMTF).

Tools

• Password Hashes Dump Tools
• Password hashes dump tools – docs.google.com

  Password hashes dump tools in one source.

• Dump Windows password hashes efficiently – Part 6 – bernardodamele.blogspot.com

  When you login to a network resource like a network share, a proxy server behind NTLM authentication, a database management system, a mail server, etc, you can often instruct your client to save the password, typically by simply ticking the box “Remember my password”.

• ROPgadget tool v4.0.0 – shell-storm.org

  This tool lets you search your gadgets on your binaries (ELF format) to facilitate your ROP exploitation. Since version 3.0, ROPgadget has a auto-roper for build your payload automatically with the gadgets found.

• Developer Tools – opentools.homeip.net

  The Developer Tools for UPnP™ Technologies is a set of development and reference tools for creating software that is compatible with the UPnP specifications.

• Open Web Application Security Project: OWASP Zed Attack Proxy v 2.0.0 – blogspot.com

  There is a new version of the OWASP Zed Attack Proxy (ZAP) available right now, and there are so many changes in it that we’ve decided to call it version 2.0.0.

• TLSSLed v1.3 – blog.taddong.com

  This version is the result of testing lots of HTTPS (SSL/TLS) implementations during real-world pen-tests, so it is full of minor improvements and extra checks to identify different behaviors we have found in the wild (see the changelog inside the tool/script: “New in version 1.3” section).

• VulnVoIP: 1 – vulnhub.com

  VulnVoIP is based on a relatively old AsteriskNOW distribution and has a number of weaknesses. The aim is to locate VoIP users, crack their passwords and gain access to the Support account voicemail.

• Weevely – github.com

  Weevely is a stealth PHP web shell that simulate an SSH-like connection. It is an essential tool for web application post exploitation, and can be used as stealth backdoor or as a web shell to manage legit web accounts, even free hosted ones.

Techniques

• How do I phish? – Advanced Email Phishing Tactics – pentestgeek.com

  One of the first things we need to do in any phishing campaign is enumerate email addresses. How are we going to send emails if we don’t know where we are sending to? This is where Jigsaw comes in handy to quickly and easily enumerate email addresses for us.

• Use .NET csc.exe to create a malicious EXE on locked down systems – phillips321.co.uk

  So on a locked-down system you might find yourself with no ability to import malicious code, or for that matter execute it due to Anti-Vitus protection. So what about just writing the code up in notepad and then compiling it using csc.exe. Note: csc.exe comes packaged with each of the .NET framework versions.

Vendor/Software Patches

• About the security content of iOS 6.1 Software Update – support.apple.com

  This document describes the security content of iOS 6.1. For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

• Critical Java Update Fixes 50 Security Holes – krebsonsecurity.com

  Oracle Corp. has issued an update for its Java SE software that plugs at least 50 security holes in the software, including one the company said was actively being exploited in the wild.

Vulnerabilities

• UPnP
• Security Flaws in Universal Plug and Play: Unplug, Don’t Play – community.rapid7.com

  This morning we released a whitepaper entitled Security Flaws in Universal Plug and Play. This paper is the result of a research project spanning the second half of 2012 that measured the global exposure of UPnP-enabled network devices.

• Exposed UPNP Devices – isc.sans.edu

  Rapid7 conducted a widely quoted study, scanning the Internet on port 1900/udp to find devices that expose UPnP

  [1]. Universal Plug and Play (UPnP) is a protocol frequently supported by home gateways to automate firewall configurations.
• Your company’s security posture is probably horrible (but it might be OK). – blog.thinkst.com

  In part, it’s because computer security is a hard problem. Armchair pundits sometimes draw comparisons between information security and other scientific disciplines. “We are able to build bridges safely & repeatably and should be using scientific methods to keep our information secure”. It’s as if merely using the words “scientific methods” would magically make the problem go away.

• Keeping our users secure – blog.twitter.com

  As you may have read, there’s been a recent uptick in large-scale security attacks aimed at U.S. technology and media companies. Within the last two weeks, the New York Times and Wall Street Journal have chronicled breaches of their systems, and Apple and Mozilla have turned off Java by default in their browsers.

• SCADA (in)Security – marcoramilli.blogspot.com

  During the last weeks I’ve been involved in some SCADA systems testing. It has been quite a new world for me, no memory overflows or ROP, no specific deobfuscator techniques; just plain text analysis, sometimes even too easy old web style (in)security.

Other News

• Pentagon to boost cybersecurity force – washingtonpost.com
  The Pentagon has approved a major expansion of its cybersecurity force over the next several years, increasing its size more than fivefold to bolster the nation’s ability to defend critical computer systems and conduct offensive computer operations against foreign adversaries, according to U.S. officials.

• WhatsApp privacy practices under scrutiny – news.cnet.com

  The popular cross-platform mobile instant messenger contravened Canadian and Dutch data and privacy laws over the requirement to upload users’ phone numbers. Read this article by Zack Whittaker on CNET News.

• Defending DHS as a Cybersecurity Leader – bankinfosecurity.com

  The top Department of Homeland Security policymaker focused exclusively on cybersecurity, Mark Weatherford, defends DHS’s ability to take a leading role in safeguarding civilian agencies and key national IT systems. His viewpoint challenges questions raised about the department’s capabilities by critics such as Sen. John McCain.

• Hackers in China Attacked The Times for Last 4 Months – nytimes.com

  After surreptitiously tracking the intruders to study their movements and help erect better defenses to block them, The Times and computer security experts have expelled the attackers and kept them from breaking back in.