Week 33 in Review – 2013

Event Related

• Black Hat USA 2013
  • Black Hat USA 2013, Bochspwn, slides and pointers – j00ru.vexillium.org
    Two weeks ago (we’re running late, sorry!) Gynvael and I had the pleasure to attend one of the largest, most technical and renowned conferences in existence – Black Hat 2013 in Las Vegas, USA.
  • Black Hat Presentation on Android “Master Key” – bluebox.com
    This presentation is a case study showcasing the technical details of Android security bug 8219321, disclosed to Google in February 2013.
• Insidious Implicit Windows Trust Relationships – h.foofus.net
  I recently gave the talk “Insidious Implicit Windows Trust Relationships” at BSides Detroit. You can download a PDF of the awesome slides and notes here.

Resources

• Access Control Part 3: Using the Big Guns! – penturalabs.wordpress.com
  Or rather miniature guns, that pack a powerful punch… Our previous posting on Access Control Part 2: Mifare Attacks, we demonstrated a weakness in some Mifare implementations.
• IPMI:Freight Train to Hell – fish2.com
  IPMI is a protocol mainly used to facilitate remote management of servers. Published by
  Intel and created in conjunction with other major vendors it’s nearly universally
  supported and is widely used for emergency maintenance as well as the provisioning and
  rollout of applications, operating systems, and various other administrative tasks.
• Domains That Are Typos of Other Domains – cert.org
  I’ve been investigating the usage of domains that are typos of other domains. For example, foogle.com is a typo of google.com, and it’s a common one since ‘f’ is next to ‘g’ on the standard keyboard. The existing hypothesis has been that typo domains would be used for malicious purposes.

Tools

• What’s new in IronWASP v0.9.6.5 – blog.ironwasp.org
  IronWASP v0.9.6.5 is now available for download. Users of older versions should get an update prompt when using IronWASP. This is what you get with the new version.
• gabemarshall/ntrace – github.com
  Command-line security tool to detect Cross-Site Tracing vulnerabilities, written in node.
• levle/PHPmap – github.com
  PHPmap – Exploitation of the PHP eval() function where user input is passed
• Egresser – Tool to Enumerate Outbound Firewall Rules – blog.cyberis.co.uk
  Egresser is a tool to enumerate outbound firewall rules, designed for penetration testers to assess whether egress filtering is adequate from within a corporate network.
• pyreshark – code.google.com
  A Wireshark plugin providing a simple interface for writing dissectors in Python.
• ZMap – The Internet Scanner – zmap.io
  ZMap is an open-source network scanner that enables researchers to easily perform Internet-wide network studies. With a single machine and a well provisioned network uplink, ZMap is capable of performing a complete scan of the IPv4 address space in under 45 minutes, approaching the theoretical limit of gigabit Ethernet.

Techniques

• HackRF
  • Sniffing GSM with HackRF – binaryrf.com
    I recently had a play with sniffing some gsm using the HackRF, The clock was a little unstable and drifted quite a bit but in the end I was able to view lots of different system messages etc. I will assume you have a working linux system with gnuradio and hackrf running for this turotial, If not you can use the live cd which I referenced in the software section of the forum its a great tool and the hackrf works right out of the box.
  • Decoding Pocsag Pagers With The HackRF – binaryrf.com
    This is another quick tutorial on things you can do with the HackRF. I was lucky enough to get one as part of the beta, it is a great piece of hardware and it is my hope that with these tutorials I can do my part in getting more people interested and we can get massive community built around the HackRF. Today I am going to be talking about decoding pocsag pager messages, for this I will assume you are using the great ubuntu live cd for the hackrf.
• The Burp SessionAuth Extension – skora.net
  Normally a web application should identify a logged in user by data which is stored on the server side in some kind of session storage. However, in web application audits someone can often observe that internal user identifiers are transmitted in HTTP requests as parameters or cookies.
• Remote Code Execution on Wired-side Servers over Unauthenticated Wireless – blog.opensecurityresearch.com
  There’s a remote code execution vulnerability that can be exploited via 802.11 wireless to compromise a wired side server. The attacker needs no prior knowledge of the wireless network or authenticated access in order to exploit.
• Nitesh Dhanjani: Hacking Lightbulbs – dhanjani.com
  The phenomenon of the Internet of Things (IoT) is positively influencing our lives by augmenting our spaces with intelligent and connected devices. Examples of these devices include lightbulbs, motion sensors, door locks, video cameras, thermostats, and power outlets.

Other News

• Researchers release tool to pickup the SLAAC in Man-In-The-Middle attacks using IPv6 – networkworld.com
  A group of researchers from Neohapsis Labs released a tool last weekend during DEF CON that drops the time needed for a Man-in-the-Middle attack using IPv6 (SLAAC Attack), from hours down to minutes or less.
• If You Send To Gmail, You Should Have ‘No Legitimate Expectation Of Privacy’ – Business Insider – businessinsider.com
  If you happen to send an email to one of the 400 million people who use Google’s Gmail service, you shouldn’t have any expectation of privacy, according to a court briefing obtained by the Consumer Watchdog website.
• Baby monitor hack shows danger of default passwords – zdnet.com
  ABC News ran a story of a hacked baby monitor for the visceral fear it provokes. A more useful interpretation of the events is to warn of the dangers of default passwords.
• Remotely Assembled Malware Blows Past Apples Screening Process – technologyreview.com
  Mystery has long shrouded how Apple vets iPhone, iPad, and iPod apps for safety. Now, researchers who managed to get a malicious app up for sale in the App Store have determined that the company’s review process runs at least some programs for only a few seconds before giving the green light.