ProxyStrike Plugins update

Well this is a short post, just to let you know that the plugins framework of ProxyStrike is updated, making easier to develop your own plugins. Here is a diagram of the internal structure:


Now each plugin is a file, and here is an example of a plugin for gathering all the email addresses:

class email_detect(AttackPlugin):
       def __init__(self):
               AttackPlugin.__init__(self,name="email detect",variableSet=False,iface=True,type="tree",fields=["Url","Email"])

               self.emailre=re.compile("[a-z0-9_.-]+@[a-z0-9_.-]+",re.I)

       def process(self,req):
               html=req.response.getContent()
               a=self.emailre.findall(html)
               results=[]
               for i in a:
                       results.append([i])
               if a: 
                       self.putRESULTS([req.completeUrl,results])

You can find more examples inside the plugin folder, just get your copy via subversion:

svn checkout http://proxystrike.googlecode.com/svn/trunk/ proxystrike-read-only

More information in the wiki, and you can follow updates by deepbit in his new blog

Enjoy

-CMM

ProxyStrike v2.0 released!

I'm pleased to announce a new version of ProxyStrike, an active Web Application Proxy, a tool designed to find vulnerabilities while browsing an application. It was created because the problems we faced in the pentests of web applications that heavily depends on Javascript, not many web scanners did it good at this stage, so we came with this proxy.

Right now it has available Sql injection, XSS and Server side includes.

Highlights from this release:

• Plugin engine (Create your own plugins!)

• Automatic crawl process

• Request interceptor

• Request diffing

• Request repeater

• Save/restore session

• Http request/response history

• Request parameter stats

• Request parameter values stats

• Request url parameter signing and header field signing

• Use of an alternate proxy (tor for example ;D )

• Attack logs

• Export results to HTML or XML

* Sql attacks (plugin)

• Server Side Includes (plugin)

• Xss attacks (plugin)

Check it at: http://www.edge-security.com/proxystrike.php

Here is a video of the tool:

Great Job from Carlos del Ojo (deepbit) for this new release

-CMM

Warvox: Wardialing refreshed

The people of Metasploit released a new tool for performing Wardialing attacks. You must be wondering why a new wardialing tool in these times?

Well they came with a new idea, on using Voip services to perform the scans and they claim to reach 10.000 numbers in 8 hours aprox. No modem needed, yes you read right.

One of the great things about the WarVOX model is that once the data has been gathered, it is archived and available for re-analysis as new signatures, plugins, and tools are developed.

Also is interesting the analysis they perform, because they identify more things than a modem attached to a telephone line:

This model allows WarVOX to find and classify a wide range of interesting lines, including modems, faxes, voice mail boxes, PBXs, loops, dial tones, IVRs, and forwarders. WarVOX provides the unique ability to classify all telephone lines in a given range, not just those connected to modems, allowing for a comprehensive audit of a telephone system.

The tool is coded in ruby and you can download here

-CMM

Quick tip: Sharing a directory over the web easily

Sometimes you need to share a file, show someone a file, serve a client side exploit in a local network, but you don't have a web server on your machine, or don't want to upload the file to a server... Here is a very useful tip to run a web server serving the actual directory with Python:

shell>python -c "import SimpleHTTPServer;SimpleHTTPServer.test()"

there is an easier way:

shell>python -m SimpleHTTPServer

By the default it will use the port 8000.

You can create an alias for easy launching

More shell tricks in Shell-fu.org

-CMM

Client Side exploit Delivery - Word files

Today i will do a brief post about how you can deliver an exploit URL to your target.

I was reading the SANS storm post about MS09-002 XML/DOC initial infection vector, and i wanted to try it. Here is the information from SANS:

After many failed attempts and some research, i stumble and old post about a XSS in Word documents where the steps to accomplish the XSS where:

The html file content:

So if you change the value code by your exploit serving URL, you will get your exploit served when the target open the Word document.

In this example i changed the value by "http://www.google.com" and the results when opening the word file:

And in the next page is the little frame with the page loaded:

For doing it in a cleaner way, your page will be blank, so there will be no trace at plain sight for a typical user. Also it's possible to play with the object size and location. Also depending on the configuration the user will receive an alert saying that an Activex is trying to run.

So for your next penetration test when you need to perform a targeted client side attack, fire up Metasploit, setup MS09-002 build a Word file, send emails with juicy Subjects , leave some USB sticks on the building and wait :)

-CMM

L0phtCrack is back with L0pht

I read via Christien Rioux twitter, that L0phtCrack is being reacquired by the original authors.

They are preparing a special information session at SOURCE Boston (Thursday 10:15 am), and they will be releasing version 6. Also they will explain the story of the product from the days of L0pht, @stake, Symantec and L0pht again.

Check this site for more info soon.

I will be there for this session!

-CMM

15 Minutes Penetration test

Here you have two interesting videos from Ryan Linn on EthicalHacker.net , reviewing a fast Penetration Test using Nmap, Nessus, Metasploit / Meterpreter and Ophcrack.

Video part 1 Nmap, Nessus, Metasploit

Video part 2 Meterpreter, Ophcrack, Command line users

This is a good time to say how much i like meterpreter :)

Enjoy

-CMM

Fast-Track - Automated penetration testing suite

Fast-track is

"a compilation of custom developed tools that allow penetration testers the ease of advanced penetration techniques in a relatively easy manner"

Fast-Track has tools for MSSQL server, SQL Injection, Metasploit Autopwn Automation, Mass Client Side attacks, exploits and a Payload generator.

The idea is to provide easy and fast to use tools, that will usually take you many steps, or some minor coding on existing tools. I liked the integration with Metasploit payloads.

It's like executing scripts and tools combos :)

You can check a video of the SQLPwnage module in action:

Fast-Track SQLPwnage from David Kennedy on Vimeo

Presentation of Fast-Track at ShmooCon 2009, here
Download here

Enjoy

-CMM

Backtrack 4 is here! - Cuda support

The new Backtrack 4 beta is out!, you can download your ISO here, also you can check the backtrack 4 info on their blog.

The most interesting feature is that is based on Ubuntu, this mean that will be easy to update, maintain, create packages, etc!  The Backtrack team wants that besides of being your live CD, to be your every day desktop, and with this change i think that a lot of users will make the change.

Another feature is the support for pyrit and CUDA, to exploit the power of the GPU's.

Enjoy 

-CMM

Web Services Security testing

Last week  i had to perform a penetration test on a Web Services environment and during the project i found the following interesting documents:

SIFT  - Web Services Security Testing Framework  V1  - by SIFT  Link

This document is a great resource.

Web Services Security  - by Bilal Saddiqui Link

Exploring Web Services Encryption - by Bilal Saddiqui   Link

More on Web Services Encryption - by Schmoil Link

Seguridad en Servicios Web (Spanish) - by Oscar Gonzales Link

About the tools, i had some trouble with the usual hacking tools, we didn't had UDDI or JUDDI, so we had to hack the application server (Jboss) and then access the Web services admin panel, to get the WSDL.

With the WDSL i proceed to perform some bruteforce attacks with WebSlayer to find a valid username and password for the WS-Security (client authentication).

The other tool that i used was Appscan, Web Services Power tools that allowed me to get the descriptions, and perform request, but i didn't liked the way it handle the raw request...

Another interesting tools is the SOAPUI, the web services testing tool, it's very complete and i'm still learning on how to use it....

Also we used WSFuzzer from OWASP. Here is a video on how to use it

UPDATE:

TSSCI - Writing a web services fuzzer in 5 minutes

Any other interesting tools or document?

-CMM

DVL 1.5 - a hacking playground

A new version of the most vulnerable distribution was released yesterday. This Linux distribution is known for providing resources to learn security and hacking.  It's loaded with training material, vulnerable software, and tools. 

It's a very interesting distribution to have in your lab, for testing

your tools in a controlled environment.

The new version 1.5 (Infectious disease) it's a 1.6 GB ISO image, and it's available to download here

Happy hacking

-CMM

Web Application vulnerability scanners comparison

Today a saw a message from "Anantasec" in the mailing "pen-test" about a evaluation/comparison of Web Application scanners. 

The products analyzed are IBM Appscan (7.7.620 SP2), HP Webinspect (7.7.869)  and Acunetix (6.0), all commercial products.

The analysis only evaluate the results of the scans against 16 applications, it doesn't compare features, options or capabilities of the products.

After reading the report i have some doubts about the origin of it. Maybe could be a biased analysis for Acunetix? It's an Anonymous writer, a blog with just one post.. it makes me wonder. (damn, no interesting metadata in the document )

Personally i used all the scanners and i'm happy with Appscan, i'm missing the scheduling option of Webinspect. Also Acunetix improved a lot in the latest versions, and could be an interesting option when considering price/value.

An interesting fact of the analysis is that each of the scanners performed better when scanning the demo application of their company :)

 

Here is the report from Anantasec, draw your own conclusions

Remember to use more than one tool for the task, to have complimentary result, and also that the scanner will not discover all the vulnerabilities on the application, so don't rely on them.

I always use ProxyStrike when doing the manual analysis of the application, and i discover XSS and SQL that none of the scanners mentioned before does. Btw a new version is coming!

If you want more options on Web application scanners don't forget the Open Source options, right now there is a clear leader in this field, W3aF, it's very complete and even have more plugins or checks than the commercials one, and is multi-platform.

What are you using?

-CMM

Zerowine: Malware behavior analysis

Here is a new project aimed to dinamically analyze the behavior of malware. The twist here is that Zerowine will run the malware sample using WINE in a safe virtual sandbox collecting information about the API's called by the sample.

Zerowine is distributed as a QEMU virtual machine with a Debian OS. In the virtual machine is installed Zerowine with a web interface to upload malware samples, check the status of the analysis and finally to present the report.

Here are some screenshots:

Project page: Zerowine

Enjoy

-CMM

Virustotal uploader

Here is a new handy tool for uploading files to virustotal.com,  this program will add an entry for the contextual Windows menu to send the file to virustotal.com 

For the ones who don't know, virustotal.com offer a service of online antivirus, using 39 antivirus engines. It's very useful when you need to check a downloaded file or a suspicious file during an investigation.

You can check it here

Info via lifehacker.com

-CMM 

Canvas + Nessus + D2 Bundle

It's good to see how products try to join forces and try to integrate them as much as possible to facilitate the tasks of the pentesters. 

Now the guys at Tenable Networks Security, Immunity and Dsquare Security are offering a 20% discount if you buy the bundle, Nessus Professional Feed+ Canvas  + D2 exploit pack

An example of integration is the plugin that D2 developed, that allow you to import the Nessus results in Canvas, and analyze them to show which exploits can be used on the detected vulnerabilities.

Here is a video where you can watch this feature

Another feature is that the hashes (LM/NTLM)  retrieved with Canvas can be fed into Nessus to perform local checks.

You can have more info here

Cisco IOS emulator

Today a discover a great piece of software called Dynamips that will allow us to emulate the CISCO IOS, and run virtual routers and PIXes. You heard right "Emulate" not "simulate", the software actually runs the IOS and let you create interfaces, the software is command line but there is other interesting project called GNS3, which is a graphical network simulator that allows simulation of complex networks.

I'm starting to play with this thing, but seems pretty solid, there are people that are running in their homes as PIX firewalls, routers, ipsec vpns and QoS, with GNS3.
This is very interesting when you need to test something in a real IOS, and you don't have the necessary hardware.

It's important to remark that you will need the CISCO IOS images.

Enjoy-CMM

Netifera - Network security Analysis

A new framework is being cooked at Netifera.com, it is coded over Eclipse framework, so the application will be able to run in all platforms, right now there is only two packages Linux and OsX.

A description taken from their website:

"At netifera we are building a next generation platform for network security analysis.

Our architecture is a radically innovative approach to managing high volumes of network information.

Our free and open source platform provides the framework for creating and integrating security tools with a flexibility that has never been possible before."

The team is made of people who has worked in CORE, Sebastian Muñiz and Luciano Notarfrancesco, were the ones that presented the tool at XCON in china.

You can download the beta and get more information HERE

-CMM

Jsky - a free Web Application Scanner

A new free Web application Scanner is out, from the same author of Pangolin (a good SQL Injection tool). The scanner looks pretty solid and complete for an alpha version; the list of checks is the following:

• SQL Injection
• XSS
• Unsecure object using
• Local path disclosure
• Unsecure directory permissions
• Server vulnerabilities like buffer overflow and configure error
• Possible sensitive directories and files scan
• Backup files scan
• Source code disclosure
• Command Execute
• File Include
• Web backdoor
• Sensitive information
• And so much more......

It also claims  that also exploits the vulnerabilities, but i didn't try that option yet.

Here is a screenshot of the tool in action:

You can download it from here

-CMM

Windows Vista - Easy hack

Hi, this time the people from Offensive-Security.com, bring us an example on how Windows Vista could be hacked in a very easy way, forget exploits, ASLR, DEP, etc.

Just boot with a live CD, move utilman.exe to utilman.old, and copy cmd.exe to utilman.exe.

Then in the login window, just press CTRL-U, and a console with administrative rights will pop up.

It's the same as the old Windows XP Sticky-keys trick.

Video here

Enjoy

Metagoofil 1.4 - Metadata exposed

Hi this time i will post a brief entry about the new version of Metagoofil released some

 days ago.

In this version (1.4) i added a new feature that will extract the MAC address from 

the office documents, yes you read right :)  the MAC ADDRESS. 

We can find this information inside the documents in a string like this:

_PID_ GUID ... {F96EB3B9-C9F1-11D2-95EB-0060089BB2DA}

The last 12 hex digits are your MAC!

So here we have another piece of information that can be used to track an user, and most of them 

don't know it's existence :(

The next version of Metagoofil it will possibly  map the MAC address to the vendor 

name, so we can have more information about a target company.

Download here: MetaGooFil