ProxyStrike v2.0 released!

I'm pleased to announce a new version of ProxyStrike, an active Web Application Proxy, a tool designed to find vulnerabilities while browsing an application. It was created because the problems we faced in the pentests of web applications that heavily depends on Javascript, not many web scanners did it good at this stage, so we came with this proxy.

Right now it has available Sql injection, XSS and Server side includes.

Highlights from this release:
• Plugin engine (Create your own plugins!)
• Automatic crawl process

• Request interceptor
• Request diffing
• Request repeater
• Save/restore session
• Http request/response history
• Request parameter stats
• Request parameter values stats
• Request url parameter signing and header field signing
• Use of an alternate proxy (tor for example ;D )
• Attack logs
• Export results to HTML or XML
* Sql attacks (plugin)
• Server Side Includes (plugin)
• Xss attacks (plugin)

Check it at:

Here is a video of the tool:

Great Job from Carlos del Ojo (deepbit) for this new release


Security Industry Salary and Certification Survey 2008

Sans Institute released an excellent study about the salaries in the Security industry and relations with certifications. This is a great study for the professionals to know where they are in relation with they career. I would like to see one of these studies for Europe, this one particularly covers USA.

The survey shows that the Security industry is one of less affected by the crisis, and where the companies plan to invest in this year.

If someone need help for a European version, let me know.

Download here

Here you have some interesting bits:

  • Salaries for information security professionals are high. Over 38% of respondents earn US $100,000 or more per year.

  • 41% of the respondents said their organizations use certifications as a factor when determining salary increases.

  • The overall mean funding for training was US $2,854 per year with a median of US $2,000 per year.

  • Digital forensics, intrusion detection, and penetration testing are the technical topics respondents are most interested in learning in 2009.

  • As of late November 2008, just over 79% of respondents forecast no information security personnel reductions in the next 12 months.

  • Over 25% of respondents plan to deploy the following technologies in 2009:

    • Configuration Management
    • SIEM (Security Information and Event Management)
    • Storage Security
    • Wireless Security Solutions
  • The best places to find an information security position are in the metro areas of Las Vegas, Nevada; Dallas, Texas; and Washington, DC.


A fresh new look into Information Gathering v2

Here is the new version of my presentation "A fresh new look into Information Gathering v2" that i presented at FIST Conference Barcelona one week ago. It's a overview of some new sources and mostly based on Metadata and Metagoofil V2 (coming soon)

If you have some new source or technique that want to share, you are welcome :)

Download here



SOURCE BOSTON experience

I recently came back from Boston were i attended to the SOURCE Conference Boston.

It was really a good conference, an excellent speaker line up, and a great environment to do networking and meet new people from the industry.

The conference had a great balance between technical talks and business talks, addressing all the needs of a security professional.

The conference started with an excellent speech by Peter Kuper, who gave his vision about the security market in these turbulent times. (speech transcript here).

Then during the conference, i attended the followings talks:

How Microsoft fixes security Vulnerabilities, interesting insight about what happens behind the courtain of a security update.

Politically Motivated Denial of Service Attacks, Jose Nazario.

Mac OS Xploitation, Dino Dai Zovi (Dino promised to transform OSX in a first class citizen in Metasploit)

Attacking Layer 8: Client Side penetration testing, Chris Gates and Vince Marvelli. They show how easy is to own the end user.

DNS: Towards the Secure Infrastructure, Dan Kaminsky. This was the same presentation as DC.

Day 2:

L0phtCrack 6 Release

400 apps in 40 days, Sahba Kazerooni. He explained how he faced a weird project of 400 applications in 40 days.

Get rich or Die Trying, Jeremiah Grossman. A cool talk on how to earn money exploiting different application vulnerabilities.

Vulnerabilities in Application Interpreters and Runtimes. Erik showed some vulnerabilities on different widely deployed interpreters and runtimes.

Day 3:

Dissecting Foreign Web Attacks, Val Smith. Val analyzed a web attack from start to end, great info in his talk.

That's all for 3 days.

Greets to Chris Gates, Vince Marvelli, Val Smith, Jose Nazario, Stacy Thayer, Christien Rioux, and everyone that i met at Boston.

Now SOURCE Barcelona is next, in the coming days we will launch the Call for papers, don't miss this great conference in this great city :)


Fist Conference - Source Boston

The FIST Conference is over, i just came home and now i'm preparing my backpack for tomorrows trip to NY and Boston, were i will attend SOURCE Conference Boston :)

The talk of Jay Libove was very interesting, he made us think over the ethics in our career, and
Vicente Diaz talk about eCrime economy showin
g some unbelievable facts and numbers, we are really outnumbered... My talk was about Information Gathering, Metadata and Social Networks, showing how easy is to obtain information about individuals and companies.

The slides will be available soon at

Here is a screenshot of the next Metagoofil version that i showed today:

Yes it has the "Analyze local files" that many of you asked for :)


Warvox: Wardialing refreshed

The people of Metasploit released a new tool for performing Wardialing attacks. You must be wondering why a new wardialing tool in these times?

Well they came with a new idea, on using Voip services to perform the scans and they claim to reach 10.000 numbers in 8 hours aprox. No modem needed, yes you read right.

One of the great things about the WarVOX model is that once the data has been gathered, it is archived and available for re-analysis as new signatures, plugins, and tools are developed.
Also is interesting the analysis they perform, because they identify more things than a modem attached to a telephone line:

This model allows WarVOX to find and classify a wide range of interesting lines, including modems, faxes, voice mail boxes, PBXs, loops, dial tones, IVRs, and forwarders. WarVOX provides the unique ability to classify all telephone lines in a given range, not just those connected to modems, allowing for a comprehensive audit of a telephone system.

The tool is coded in ruby and you can download here


Quick tip: Sharing a directory over the web easily

Sometimes you need to share a file, show someone a file, serve a client side exploit in a local network, but you don't have a web server on your machine, or don't want to upload the file to a server... Here is a very useful tip to run a web server serving the actual directory with Python:

shell>python -c "import SimpleHTTPServer;SimpleHTTPServer.test()"

there is an easier way:

shell>python -m SimpleHTTPServer

By the default it will use the port 8000.

You can create an alias for easy launching

More shell tricks in


Client Side exploit Delivery - Word files

Today i will do a brief post about how you can deliver an exploit URL to your target.
I was reading the SANS storm post about MS09-002 XML/DOC initial infection vector, and i wanted to try it. Here is the information from SANS:

After many failed attempts and some research, i stumble and old post about a XSS in Word documents where the steps to accomplish the XSS where:

The html file content:

So if you change the value code by your exploit serving URL, you will get your exploit served when the target open the Word document.

In this example i changed the value by "" and the results when opening the word file:

And in the next page is the little frame with the page loaded:

For doing it in a cleaner way, your page will be blank, so there will be no trace at plain sight for a typical user. Also it's possible to play with the object size and location. Also depending on the configuration the user will receive an alert saying that an Activex is trying to run.

So for your next penetration test when you need to perform a targeted client side attack, fire up Metasploit, setup MS09-002 build a Word file, send emails with juicy Subjects , leave some USB sticks on the building and wait :)


L0phtCrack is back with L0pht

I read via Christien Rioux twitter, that L0phtCrack is being reacquired by the original authors.

They are preparing a special information session at SOURCE Boston (Thursday 10:15 am), and they will be releasing version 6. Also they will explain the story of the product from the days of L0pht, @stake, Symantec and L0pht again.

Check this site for more info soon.

I will be there for this session!