Explico - Network forensics

A great new tool for analyzing network traffic has been released, as stated in the Xplico web site:

"Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic Analisys Tool (NFAT)."

The goal of Xplico is extract from an internet traffic capture the applications data contained.
For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), and so on. Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic Analisys Tool (NFAT).


Website and more info: http://www.xplico.org/about


-CMM

Incident Handling Cheatsheets

The guys at ISC SANS (Internet Storm Center) has released two Incident Handling Cheatsheets, these will be useful for people that got hacked, infected by malware, system administrators, etc. 

The first one is "Security Incident Survey Cheat Sheet for Server Administrators", it captures tips for examining a suspect machine.

The other is a questionnaire for responders, it collects the most important questions an incident handler should ask when taking control of the incident, or getting in contact with the problem.


IV OWASP SPAIN presentation


Last friday i did a presentation about new ways to get information from a target person or company, the title was "A Fresh new look into Information Gathering".

The room was full, even my talk started at 19:15, after 3 other talks, that's was very cool because it means that the people was interested in the topic.

It's curious how there are a lot of people not aware of this issue (Information Gathering, information leak, etc), but at least i felt good about doing some awareness.

You can get the presentation here

-CMM

Nessus - Alternative Feeds

The people at Alienvault.com, has released an alternative Nessus feeds, they have 3058 plugins in the feed, and the most interesting feature is that they provide a lot of SCADA servers plugins, this is interesting since the only plugins available for SCADA were paid.

So if you want to use this plugins, go to this page

The plugins also work on OpenVAS

Do you know any other free feed?

Enjoy

-CMM

Desktop setup - Unity power

After trying different setups and OS, i'm actually working with two different setups, my work computer a lame Fujitsu Siemens 15" wide with Core 2 Duo 2.4Ghz and 2GB of Ram, this machine runs a Windows Vista SP1, it's really fast in this machine and i'm pretty happy with it; and my other computer is my personal laptop a Macbook Pro 15" Core Duo 2.0Ghz and 2GB Ram, really is the best computer i owned, it's a pleasure to use this computer and i enjoy a lot the OSX.

First i want to make clear why i use Windows Vista instead of Linux? Well because i'm working a lot with Office Documents, and i couldn't find a good solution on Linux (i tried almost everything), also the different problems i have with Linux that are time consuming to fix (Multiple screens, is a difficult task for a linux, i don't know why they do not create a easy config tool like Windows)

So where is Linux? i run linux on both machines in a Vmware machine, in the Fujitsu Machine is blazing fast, so fast that i had to try it native and compare, and to my perception it was faster in the Virtual Machine, not so sure why, but is good for me :)

And in my personal computer linux runs in Vmware Fusion, a great piece of software. You might be wondering, "it's the same as the others vmwares out there", well NO, it has a feature called Unity, that allows you to run the Guest operative applications, on the HOST desktop, as if they were a native application, i talked of a feature like this in Parallels called Coherence, both Vmware and Parallels supported Windows Guest system for this feature, but recently Vmware Fusion added support to Linux guest systems.

Here is my OSX desktop, running my Ubuntu linux applications (the ones with black windows):

You can see the ProxyStrike running on OSX and Linux, and a Ubuntu Terminal and a OSX Terminal, also a Ubuntu file manager windows.

For OSX to be perfect, i would like to have windows management options like WMII, not all of them, but basic ones, like WinSplit Revolution on Windows.

(After writing this post I found a way of doing some of the tricks, but you have to use AppleScript and Quicksilver, i will post later a customized version)

In future post i will show the software i usually use on both machines for my pentesting tasks and for productivity also..

What is your desktop setup?

-CMM

WebSlayer at Pauldotcom podcast


Last week Matt Tesauro from OWASP, pointed me that "WebSlayer" was reviewed in the show "PaulDotCom" a Security weekly podcast.


The MP3 of the show can be downloaded here

Also you can find the episode notes here


I recommend this podcast, is very interesting and they talk a lot about penetration testing topics, really useful and very entertainment.

They liked the tool, so it's a good signal and good feedback.

I'm waiting for the next episode :)

-CMM

Clickjacking Demo

A lot of buzz were flowing on the net the last few months , about a new type of vulnerability known as "ClickJacking" or "Ui redressing". The vulnerability is a variant of Cross Site Request Forgery (CSRF). The idea is simple, here is an explanation found in www.webmonkey.com:

"The basic idea is that an attacker loads the content of an external site into the site you’re visiting, sets the external content to be invisible and then overlays the page you’re looking at. When you click a link you see on the current page, you are in fact clicking on the externally loaded page and about to load pretty much whatever the attacker wants."

Well it seems pretty easy and clear, but if you want to see an attack in action, you have to check this GUYA.NET, where an attacker controls the camera of the victim, through a ClickJacking attack.

Some of you might be wondering how can you protect against it? The last version of NoScript (a Firefox Plugin that provides protection against XSS) adds protection to ClickJacking.

Be careful where you click ;)

CMM-

Memoryze - Memory forensic tool

Jamie Butler presented at HITB 2008 the tool Memoryze, intended to aid incident responders find evil in live memory.  

"Memoryze can acquire and/or analyze memory images, and on live systems can include the paging file in its analysis."

Memoryze site
Here are some Use cases

-CMM

OWASP EU SUMMIT is over


Wow what a great event, i returned from Algarve, Portugal the saturday morning. I met a lot of interesting people, and i had a very good times.

Thursday morning, i gave my presentation about WebSlayer, i started 4 talks before schedule, so they catch me a little off guard. Everything went smooth after i managed to make the microphone works :P

There were 2 other guys from Argentina, Arturo "Buanzo" Busleiman a very well known security expert, and Fabio Cerrullo a great person.

The place was very beautiful, but i hadn't enough time to visit the city, we were working from 8:00hs to 20:00hs , really very exhausting, but was fruitful.

Giorgio Fedon pulled a good working group about Web Malware, the idea was to start working in a document to splash the different kind of web attacks the malware use, and how a company can protect from them.

The thursday night the OWASP Band played some great tunes, it was incredible how good they were, taking into account that they never played together!

Seven committees were created to face different projects and issues, this is very interesting because a layer of middle management was needed, to handle all the heavy work and organization.

Regards to everyone that made this possible, in special Paulo Coimbra and Dinis Cruz, because without their effort this wouldn't happened.

The full results of the summit will be captured and released as a report from OWASP in the next few weeks.

Now there is a lot of work to do :)

-CMM

Kiosk hacking

Have you ever found yourself trapped in a internet Kiosk? those machine with customized software (most of them with windows) that only allows you to browse the net, print and maybe save a file in a thumbrive? I always had my kiosk cheatsheet, but now Paul Craig had released I-KAT, a website that pretend to hack a kiosk in under 120 seconds. I read his presentation at HITB and i really liked some of his tricks, really he found lots of security bypasses on the most used kiosks around the world.

Some of the tricks:

Invoking a command line, without executing cmd.exe:

-command.com
-loadfix.com start.exe
-win.com
-start loadfix.com cmd.exe
-%COMPSEC%
-sc create testsvc binpath "cmd /K start" type= own type interact

There a many combinations of these and he found 17 cmd.exe detours.

Another cool trick is embedding a cmd.exe inside an Office document (doc,docx, xls, xlsb, xlsm, xlsx), and then when you open the file the "Open package Contents" will popup.

Most of the bypasses are because the use of Black lists, the people still doesn't get it that black lists are dangerous...

I recommend to check the Ikat site and Paul Craig presentation to get all the tricks:

HITB presentation
I-KAT website
Portable tool

-CMM

Defcon 16 videos and HITB 2008 presentations

The presentations from HITB are ready for download, there is very good quality material. There are two presentations about OSX security, one from Dino Dai Zovi about exploiting OSX and another from the Gruqq about Antiforensics on OSX, check it here:

http://conference.hitb.org/hitbsecconf2008kl/materials/

And here are some Defcon 16 videos:

Brenno De Winter - Ticket to Trouble

http://media.defcon.org/dc-16/video/dc16_dewinter_tickettotrouble/dc16_dewinter_tickettotrouble_full.mov
http://media.defcon.org/dc-16/video/dc16_dewinter_tickettotrouble/dc16_dewinter_tickettotrouble.m4v

Dan Kaminsky - DNS Goodness

http://media.defcon.org/dc-16/video/dc16_kaminsky/dc16_kaminsky_cache_full.mov
http://media.defcon.org/dc-16/video/dc16_kaminsky/dc16_kaminsky_cache.m4v

Anton Kapela and Alex Pilosov - Stealing the Internet

http://media.defcon.org/dc-16/video/dc16_kapela-pilosov_stealing/dc16_kapela-pilosov_full.mov
http://media.defcon.org/dc-16/video/dc16_kapela-pilosov_stealing/dc16_kapela-pilosov.m4v

Mike Perry - 365 Day: Active HTTPS Cookie Hijacking

http://media.defcon.org/dc-16/video/dc16_perry_TOR/dc16_perrry_TOR_full.mov
http://media.defcon.org/dc-16/video/dc16_perry_TOR/dc16_perrry_TOR.m4v

More videos to come in the next months

CMM-

WebSlayer released

Hi all, i'm please to announce the release of WebSlayer, the web application brute forcer.

Im working on the presentation for the Owasp EU Summit 2008, and i created the WebSlayer project site at OWASP. 

The first version released is only for windows, but the source for Linux and OS X will be ready this week. Ubuntu 8.10 includes the python-qt4 version needed to run WebSlayer :)

Well now WebSlayer is officially an OWASP project :)

I hope you find it useful for your engagements

Stay tuned for the next release that will be packed of new features and improvements!

CMM-