Week 27 in Review – 2013

Event Related

Resources

  • A Penetration Tester’s Guide to IPMI and BMCs – community.rapid7.com
    Dan Farmer is known for his groundbreaking work on security tools and processes. Over the last year, Dan has identified some serious security issues with the Intelligent Platform Management Interface (IPMI) protocol and the Baseboard Management Controllers (BMCs) that speak it. This post goes into detail on how to identify and test for each of the issues that Dan identified, using a handful of free security tools.  If you are looking for a quick overview of the issues discussed in this post, please review the FAQ. Dan has also put together an excellent best practices document that is a must-read for anyone working on the remediation side.
  • So, You Wanna Be a Penetration Tester? – securitybistro.com
    It’s an exciting time to be a professional penetration tester.  As malicious computer attackers amp up the number and magnitude of their breaches, the information security industry needs an enormous amount of help in proactively finding and resolving vulnerabilities.  Penetration testers who are able to identify flaws, understand them, and demonstrate their business impact through careful exploitation are an important piece of the defensive puzzle.
  • Top 10 Proactive Web Application Security Measures – blog.whitehatsec.com
    The following represents a list of website security items that should be implemented with each new website launch. Rather than waiting until the site has gone live, these things should be done up front because fixing them afterwards is often a lot more painful. Because these are way harder to shoe-horn and retrofit after deployment, we rarely see these done correctly in practice.

Tools

  • simplerisk -Enterprise Risk Management Simplified. – code.google.com
    After starting a Risk Management program from scratch at a $1B/yr company, Josh Sokol ran into these same barriers and where budget wouldn’t let him go down the GRC route, he finally decided to do something about it. I would like to introduce you to SimpleRisk, a simple and free tool to perform risk management activities.
  • Burp Extension: Directory and File Listing Parser – Burp Site Map Importer – smeegesec.com
    Penetration testers, rejoice! While conducting application penetration tests it’s sometimes necessary to request specific information from the application owner or client. As a pen tester it can be extremely beneficial to perform a test with a full directory and file listing of the application, which sometimes can be difficult to acquire.
  • introducing zarp – forelsec.blogspot.com
    zarp is a local network attack toolkit that emphasizes absolute control over local networks.  It’s end goal is to provide a very clean, modular, well-defined interface into a network, handing absolute control over to the user.

Techniques

  • Function Hooking Part I: Hooking Shared Library Function Calls in Linux – netspi.com
    When assessing an application for weaknesses in a linux environment, we won’t always have the luxury of freely available source code or documentation. As a result, these situations require more of a black box approach where much of the information about the application will be revealed by attempting to monitor things such as network communications, calls to cryptographic functions, and file I/O.
  • Using PowerShell to Copy NTDS.dit / Registry Hives, Bypass SACLs / DACLs / File Locks – clymb3r.wordpress.com
    Currently there are a few ways to dump Active Directory and local password hashes. Until recently, the techniques I had seen used to get the hashes either relied on injecting code in to LSASS or using the Volume Shadow Copy service to obtain copies of the files which contain the hashes. I have created a PowerShell script called Invoke-NinjaCopy that allows any file (including NTDS.dit) to be copied without starting suspicious services, injecting in to processes, or elevating to SYSTEM. But first, a little background.
  • Hacking WordPress with XSS to Bypass WAF and Shell an Internal Box – ethicalhacker.net
    As with most modern, popular CMSs, the WordPress application itself is hardened and secure out of the box.  But to get all of the cool ‘stuff’ to make your site memorable and engaging, WordPress site owners often use 10 – 20 plugins for each installation.  As of July 2013, WordPress.org lists 25,700 plugins with more than 475 million downloads, and that doesn’t include those outside of the WordPress repository.  It’s these third party plugins that leave a tight framework vulnerable to exploitation and attempts at hacking WordPress common.  Many installed plugins remain unpatched or overlooked, and even those not activated through the WordPress Dashboard provide an excellent attack surface.  With shared hosting plans and consolidated corporate data centers, it is more often than not that your instance of WordPress is not the only web application residing on your server.

Vendor/Software Patches

  • Get-GPPPassword Redux – obscuresecurity.blogspot.com
    Its been over a year since I threw together the original Get-GPPPassword on a short flight and I was really having a hard time even looking at the code. In addition to a nagging bug, it needed to be rewritten and updated to include all the great recommendations from you guys.

Vulnerabilities

  • Android Hack-Tool Steals PC Info – f-secure.com
    Over the weekend, Yeh, one of our Security Response Analysts, came across some interesting analysis on a Chinese language forum about an Android app that basically turns a mobile device into a hack-tool capable of stealing information from a connected Windows machine.
  • Potential attack vectors against Z-Wave – blog.opensecurityresearch.com
    A couple years ago I was doing some research on Z-Wave, and after sifting through what was publicly available regarding the protocol I came up with some ideas as to how it might be attacked.
  • Hacker Holes in Server Management System Allow ‘Almost-Physical’ Access – wired.com
    Major vulnerabilities in a protocol for remotely monitoring and managing servers would allow attackers to hijack the computers to gain control of them, access or erase data, or lock others out. The vulnerabilities exist in more than 100,000 servers connected to the internet, according to two researchers.
  • Vulnerability in Android’s Security Model
    • Uncovering Android Master Key That Makes 99% of Devices Vulnerable – bluebox.com
      The Bluebox Security research team – Bluebox Labs – recently discovered a vulnerability in Android’s security model that allows a hacker to modify APK code without breaking an application’s cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user.

Leave A Comment