tag:blogger.com,1999:blog-1218692842598452272008-05-12T08:57:54.606-04:00Ryanhttp://www.blogger.com/profile/11336255133233594442noreply@blogger.comBlogger26125tag:blogger.com,1999:blog-121869284259845227.post-1732800448834615082008-05-09T00:25:00.002-04:002008-05-09T00:34:55.051-04:00

Russ McRee at HolisticInfoSec.org posted a fun little video to demonstrate just how effective McAfee's "Hacker Safe" ScanAlert really is. These sites have some really basic XSS vulnerabilities, so either the scans aren't working, the companies aren't bothering to fix known weaknesses, or it's a little bit of both. If all they care about is sticking a logo on their site, they might as well

Ryanhttp://www.blogger.com/profile/11336255133233594442noreply@blogger.comtag:blogger.com,1999:blog-121869284259845227.post-16966595802923061582008-05-03T13:27:00.009-04:002008-05-08T19:53:05.416-04:00

I recently finished working on an interesting project that was a mix of architecture assessment and penetration testing.  One of our key tasks was to analyze the effectiveness of a firewall that they had configured to perform layer 7 inspection of Windows DCE-RPC traffic within their environment.  The firewall was designed to enforce a white-list of allowed RPC services (based on UUID) and deny

Ryanhttp://www.blogger.com/profile/11336255133233594442noreply@blogger.comtag:blogger.com,1999:blog-121869284259845227.post-40222737258310094472007-11-15T20:30:00.000-05:002007-11-15T20:59:45.494-05:00

A quickie while I'm still logged on: Ever come across a web application that only performs input validation via JavaScript? It'll pop up and stop you from submitting a form with illegal characters, but it's obviously just a client-side control, and therefore trivial to bypass using a proxy tool like Paros or Burp. Stupid, but I guess it stops the dumbest of script kiddies. Earlier this week,

Ryanhttp://www.blogger.com/profile/11336255133233594442noreply@blogger.comtag:blogger.com,1999:blog-121869284259845227.post-5201097997877428192007-11-15T20:16:00.000-05:002007-11-15T20:29:56.754-05:00

So much for keeping a regular blog. A few weeks of boring documentation work gave me no inspiration to write, and then I was on vacation for another two weeks. Since then, I've been slammed with back-to-back web app assessments and pen-tests. Which is great, because that's when I'm actually learning and exploring new techniques...except it also means that I'm too busy to post here. I have a

Ryanhttp://www.blogger.com/profile/11336255133233594442noreply@blogger.comtag:blogger.com,1999:blog-121869284259845227.post-82810071188209125002007-09-05T09:00:00.000-04:002007-09-05T01:43:40.067-04:00

After years of trying, I finally got onto a security project that included physical penetration testing. I'll readily admit that I romanticized the whole idea of it - how can you not get excited about being allowed to break into a company's offices and hack their network like a real intruder? I was going to do some real social engineering, maybe even some James Bond-esque stuff to get in.

Ryanhttp://www.blogger.com/profile/11336255133233594442noreply@blogger.comtag:blogger.com,1999:blog-121869284259845227.post-91133338852783176152007-08-23T21:14:00.000-04:002007-08-23T22:09:07.403-04:00

Way back in 1997, a Windows exploit named "NT Pass the Hash" was posted on Bugtraq. This Unix-based tool was a modified SMB client that lets you use captured LanMan hashes, without having to decrypt them first. After a mere ten years, someone has finally modernized this concept into a much more potent attack. Core Security has released Pass-The-Hash Toolkit, which runs on Windows and works

Ryanhttp://www.blogger.com/profile/11336255133233594442noreply@blogger.comtag:blogger.com,1999:blog-121869284259845227.post-67251839604208323982007-08-15T19:58:00.000-04:002007-08-15T20:12:59.686-04:00

I spent most of last week performing a web application assessment in the middle of nowhere, Alabama. After the mad fun at BlackHat and several weeks of unpleasant documentation work preceding it, it was a nice change to spend five peaceful days completely focused on testing an interesting system. This was an internal application, so I wasn't surprised to find that it was vulnerable to SQL

Ryanhttp://www.blogger.com/profile/11336255133233594442noreply@blogger.comtag:blogger.com,1999:blog-121869284259845227.post-24551549335818969922007-08-13T19:09:00.000-04:002007-08-13T19:21:38.022-04:00

As referenced in my BlackHat wrap-up, SensePost has just released the squeeza tool and accompanying slide deck from their presentation.  Their work on timing-based attacks is really interesting, particularly what they have dubbed as "Cross-Site Request Timing": it's apparently possible to violate the same-origin policy by tracking page load times across multiple domains. They've also released an

Ryanhttp://www.blogger.com/profile/11336255133233594442noreply@blogger.comtag:blogger.com,1999:blog-121869284259845227.post-78275514167036683452007-08-04T16:35:00.000-04:002007-08-04T23:36:45.648-04:00

I've returned and recovered from a fun week at BlackHat in Las Vegas.  The conference was a great experience and had an excellent selection of speakers.  As with other hacking conventions I've attended in the past, it was humbling to see how smart some of the presenters and attendees are.  I unfortunately couldn't make it to Defcon this year (damn client obligations!), but four days is just about

Ryanhttp://www.blogger.com/profile/11336255133233594442noreply@blogger.comtag:blogger.com,1999:blog-121869284259845227.post-352349912430736412007-07-29T22:40:00.000-04:002007-07-29T22:58:30.574-04:00

A quick one for the weekend: Rawlab released a nice little SQL exploit for a recently-patched Oracle 9i/10g vulnerability involving specially crafted Views. This flaw gives database users the ability to update/insert/delete records with SYSTEM privileges. The exploit updates a specified user account in SYS.USER$ with a new password; the code is straightforward enough to be easily modified if

Ryanhttp://www.blogger.com/profile/11336255133233594442noreply@blogger.comtag:blogger.com,1999:blog-121869284259845227.post-3992679329513641482007-07-25T23:12:00.000-04:002007-07-26T00:17:47.016-04:00

There has been a lot of recent activity among security blogs covering serious new vulnerabilities in Mozilla's URI protocol handling.  This is a significant issue because it is easily exploitable and yields remote command execution on a victim's PC: an attacker only needs to lead the user to a maliciously crafted link.The root of this flaw lies in how Mozilla handles URIs that are opened by other

Ryanhttp://www.blogger.com/profile/11336255133233594442noreply@blogger.comtag:blogger.com,1999:blog-121869284259845227.post-58709165188691311062007-07-24T22:07:00.000-04:002007-07-24T22:29:45.497-04:00

A quick follow-up to my previous post on testing Flash sites: Stefano Di Paola recently delivered a superbly comprehensive presentation on Flash application security during this year's OWASP conference in Milan. It goes into great detail on the ActionScript security model, how Flash applications are sandboxed, and a variety of client-side attack vectors. The resulting exploits include classic

Ryanhttp://www.blogger.com/profile/11336255133233594442noreply@blogger.comtag:blogger.com,1999:blog-121869284259845227.post-51970706667310431602007-07-18T22:25:00.000-04:002007-07-18T23:05:33.939-04:00

Ever wonder how phishing and malware sites manage to stay online? Through their analysis of botnets and infected hosts, the HoneyNet Project has documented an increasingly widespread technique used by online criminals: "Fast-Flux Service Networks". It's an admittedly clever and approach that makes it much harder to shut down malicious operations. The premise behind fast-flux service

Ryanhttp://www.blogger.com/profile/11336255133233594442noreply@blogger.comtag:blogger.com,1999:blog-121869284259845227.post-81070039066428307182007-07-17T23:12:00.000-04:002007-07-17T23:13:37.212-04:00

I've recently been evaluating several tools to help our team perform security assessments on Flash-based web applications. We occasionally have to test client sites that are almost entirely written in Flash, and they can be even more annoying to assess than they are to use. I have never really worked with the language from a developer's perspective, so it's been a good learning experience. I

Ryanhttp://www.blogger.com/profile/11336255133233594442noreply@blogger.comtag:blogger.com,1999:blog-121869284259845227.post-70734151078944479092007-07-16T23:28:00.000-04:002007-07-16T23:49:27.894-04:00

pdp has released a proof-of-concept web spider written completely in JavaScript. It is a pure client-side tool, requiring no server support other than the Yahoo Site Explorer service it leverages. The spider is very efficient - it can index the files and directory structure of a web site within a few queries, making it very fast and efficient. The only limitation is that only can fetch pages

Ryanhttp://www.blogger.com/profile/11336255133233594442noreply@blogger.comtag:blogger.com,1999:blog-121869284259845227.post-81931775526759657632007-07-15T19:15:00.000-04:002007-07-15T19:52:37.962-04:00

I have been putting together a collection of scripts used to gain command execution or reverse-shell access on web servers. We use this type of tool frequently during pen-tests; all you need is the ability to upload files to the web server (and a little luck - remember that you're executing under the context of the server process, which may have limited permissions). These scripts are available

Ryanhttp://www.blogger.com/profile/11336255133233594442noreply@blogger.comtag:blogger.com,1999:blog-121869284259845227.post-49198058075481254092007-07-12T22:30:00.000-04:002007-07-12T23:41:19.278-04:00

The Associated Press is running a story on how they discovered an extensive number of sensitive but unclassified military documents kept on unsecured FTP servers. Both government and contractor systems were found to allow anonymous access to goodies like project schematics, facility security information, building plans, and geological survey data. Some of the responses by the guilty parties are

Ryanhttp://www.blogger.com/profile/11336255133233594442noreply@blogger.comtag:blogger.com,1999:blog-121869284259845227.post-69417175095357192742007-07-11T22:59:00.000-04:002007-07-11T23:05:28.895-04:00

Parameterized queries? Input validation? Pfft. Really secure sites don't need that kind of nonsense to protect against SQL injection attacks.  They just kindly ask that you avoid submitting values like "SELECT FROM" or "DROP".

Ryanhttp://www.blogger.com/profile/11336255133233594442noreply@blogger.comtag:blogger.com,1999:blog-121869284259845227.post-83226083045404521062007-07-10T21:18:00.001-04:002007-07-10T21:58:33.358-04:00

RSnake's blog just turned me on to the release of XSSTunnel, a very slick project by Ferruh Mavituna. This .NET-based tool lets you leverage a cross-site scripting vulnerability into a full HTTP proxy. By using XSSTunnel in concert with Ferruh's XSS Shell, you can pipe any scanning tool that supports HTTP proxies to run through a victim's "infected" browser. The possibilities are endless: you

Ryanhttp://www.blogger.com/profile/11336255133233594442noreply@blogger.comtag:blogger.com,1999:blog-121869284259845227.post-80903150892004702782007-07-09T23:45:00.000-04:002007-07-09T23:49:26.445-04:00

If you need to provide remote desktop access to your organization's Windows machines, and care even a little bit about IT security, do NOT use VNC. The Windows built-in Remote Assistance / Remote Desktop tools are a far better choice. This may seem obvious, but I still find organizations running VNC servers all over the place, usually for the helpdesk to provide users with remote troubleshooting.

Ryanhttp://www.blogger.com/profile/11336255133233594442noreply@blogger.comtag:blogger.com,1999:blog-121869284259845227.post-38866760687582702402007-07-07T16:50:00.000-04:002007-07-07T17:29:17.391-04:00

Ever wonder how to modify a hacking tool to evade anti-virus programs? I always understood how signature-based detection worked, but never bothered trying to bypass it during a pen-test. That's typically not something we have time to do on the fly. Besides, the only program we use that gets detected consistently is pwdump - and we got around that problem by modifying the source and recompiling

Ryanhttp://www.blogger.com/profile/11336255133233594442noreply@blogger.comtag:blogger.com,1999:blog-121869284259845227.post-90251762200889165982007-07-07T12:13:00.000-04:002007-07-09T23:51:34.986-04:00

I have a bad habit of impulse-purchases when it comes to gadgets, but I'm pretty pleased with how my latest turned out - the Nokia 770 Internet Tablet. It was on Woot a few weeks ago for $135 and you can still buy them on Buy.com for around the same price. This little device is about the size of a Nintendo DS lite, and runs a stripped down version of Debian with a development platform called

Ryanhttp://www.blogger.com/profile/11336255133233594442noreply@blogger.comtag:blogger.com,1999:blog-121869284259845227.post-37844901229221155042007-07-06T00:56:00.000-04:002007-07-06T13:13:25.352-04:00

A recent post on Darknet turned me on to a new tool for testing Oracle Application Servers called OAPScan. This neat little Perl script is similar to Nikto - it does a "dumb" crawl of web servers based on a scan database and uses pattern matching and server responses to determine whether certain files, paths, and vulnerabilities exist. But unlike Nikto, OAPScan's database has a robust number of

Ryanhttp://www.blogger.com/profile/11336255133233594442noreply@blogger.comtag:blogger.com,1999:blog-121869284259845227.post-59163289077522048412007-07-04T22:15:00.001-04:002007-07-05T00:14:55.758-04:00

During a recent external pen-test, my teammate and I were able to gain root access to a Unix web server through a few serious application vulnerabilities. Once we had a reverse-shell going, we used wget to download Nmap, compiled it, and set off some scans to map out the DMZ and any reachable internal servers. Pretty straightforward so far. Turned out that there really was no DMZ - everything

Ryanhttp://www.blogger.com/profile/11336255133233594442noreply@blogger.comtag:blogger.com,1999:blog-121869284259845227.post-72467997903989308282007-07-04T02:59:00.000-04:002007-07-04T12:00:26.350-04:00

The other day, a few of us at work were discussing how internal Windows penetration tests have remained ridiculously easy, irrespective of the client, since we first started in this field. Between the four of us, we've done at least twenty or thirty Windows internal pen-tests in the last few years, against both gigantic and small networks. Regardless of the target's size and complexity, we can

Ryanhttp://www.blogger.com/profile/11336255133233594442noreply@blogger.com